63325 – Default body_min_rate not enabled in mod_reqtimeout

Bug 63325 - Default body_min_rate not enabled in mod_reqtimeout

Summary: Default body_min_rate not enabled in mod_reqtimeout

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_reqtimeout (show other bugs)
Version:	2.4.39
Hardware:	All Linux

Importance:	P2 major (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	FixedInTrunk

Duplicates (1):	63329 (view as bug list)
Depends on:
Blocks:

Reported:	2019-04-08 16:46 UTC by Oliver H
Modified:	2019-04-09 14:00 UTC (History)
CC List:	1 user (show)

Attachments
Fix reqtimeout macros lowercase (2.75 KB, patch) 2019-04-08 18:31 UTC, Yann Ylavic	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oliver H 2019-04-08 16:46:26 UTC

The changes to mod_reqtimeout made in 2.4.39 (as per bug 61310) have no default for the body_min_rate parameter, contrary to both the documentation and the behaviour of <=2.4.38.

This means that if no explicit RequestReadTimeout statement is made in httpd.conf, by default the server will return a 408 timeout after 20s even if the client is actively sending data to the server (e.g. for a large file upload). I found this bug when users reported they could no longer upload files to our websites.

I have tested under a fresh install of both Linux (Ubuntu) and FreeBSD (11 and 12).

While some distributions such as ubuntu explicitly define RequestReadTimeout in their default config, the documentation states the default is body=20,minrate=500 (which was correct for <=2.4.38). This means 2.4.39 breaks file uploads where the documented default is relied on, which is why I've marked this bug as major.

WORKAROUND: Explicitly set the default:
RequestReadTimeout handshake=0 header=20-40,MinRate=500 body=20,MinRate=500
in httpd.conf and reload.

It looks like the changes made to mod_reqtimeout in 2.4.39 were fairly major in order to incorporate the new "handshake" stage, so although I've tried, I'm afraid I'm unable to see where the problem might lie. Sorry I can't be more help diagnosing this.

Many thanks.

Comment 1 Yann Ylavic 2019-04-08 17:39:13 UTC

Thanks for the report.

Do you set RequestReadTimeout partly (e.g. body= but no ,MinRate=) or not at all?

Comment 2 Oliver H 2019-04-08 17:59:24 UTC

I would assume that defining a simple body=20 would automatically stop minrate from working, so no: my report is based on when there are no RequestReadTimeout declarations in any conf file (I grepped thoroughly to confirm).

Oliver

Comment 3 Yann Ylavic 2019-04-08 18:31:46 UTC

Created attachment 36514 [details]
Fix reqtimeout macros lowercase

The macros MRT_DEFAULT_*_MIN_RATE which contain the default value were partially made lowercase for some magic, unfortunately the ones tested in reqtimeout_hooks() were not renammed, hence the bug.

Could you please try with this patch?

Comment 4 Yann Ylavic 2019-04-08 18:47:18 UTC

Fixed in r1857129, will propose a backport to next 2.4.x.

Comment 5 Oliver H 2019-04-09 08:49:20 UTC

Huge thanks for the quick work, I can confirm the patch fixes the issue.

Comment 6 Yann Ylavic 2019-04-09 14:00:37 UTC

*** Bug 63329 has been marked as a duplicate of this bug. ***