[Bug 62196] New: Proxy response headers can be thrown away after processing a large header

Tue, 20 Mar 2018 08:53:47 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=62196

            Bug ID: 62196
           Summary: Proxy response headers can be thrown away after
                    processing a large header
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy_http
          Assignee: bugs@httpd.apache.org
          Reporter: hwib...@gmail.com
  Target Milestone: ---

Response headers from a proxied request can be thrown away after reading a
large header. If a header exceeds the the buffer size by a small amount -- say
the buffer size is 8 KB and the header is 10 KB -- the next header that is read
will be thrown away.

This looks to be due to ap_rgetline_core throwing away the extra bit of data
when it detects that the buffer would be overrun. ap_proxy_read_headers() in
mod_proxy_http.c then tries to soak up the 'extra data' which was already
thrown away by ap_rgetline_core and causes the next header to be thrown away:

    while ((len = ap_getline(field, MAX_STRING_LEN, rr, 1))
            >= MAX_STRING_LEN - 1) {
        /* soak up the extra data */
    }

Removing the while loop does not fix the problem because extra data will be
left from a large header that is at least 3x the proxy response buffer size.
The extra data is then seen as an invalid header and results in a HTTP 502
response.


In the example below, X-Test-Header-2 will be thrown away.

Sample config:
<VirtualHost *:80>
  ProxyPass "/test" "http://localhost:8080";
  ProxyPassReverse "/test" "http://localhost:8080";
</VirtualHost>

<VirtualHost *:8080>
  Header set X-Test-Header-1 "AAAAAAAAAAAAAAA..." # large header > 8KB
  Header set X-Test-Header-2 "Testing 1 2 3"
</VirtualHost>

Request/response:
$ curl -sD - http://localhost/test -o /dev/null
HTTP/1.1 200 OK
Date: Tue, 20 Mar 2018 15:46:37 GMT
Server: Apache/2.5.1-dev (Unix)
Last-Modified: Sun, 06 Nov 2016 05:34:43 GMT
ETag: "2d-5409b43abe2c0"
Accept-Ranges: bytes
Content-Length: 45
X-Test-Header-1: AAAA... [truncated]
Content-Type: text/html

Backend trace:
[Tue Mar 20 15:46:37.801645 2018] [headers:trace2] [pid 86969:tid
123145425690624] mod_headers.c(880): AH01502: headers:
ap_headers_output_filter()
[Tue Mar 20 15:46:37.801714 2018] [http:trace3] [pid 86969:tid 123145425690624]
http_filters.c(1070): [client ::1:59315] Response sent with status 200,
headers:
[Tue Mar 20 15:46:37.801767 2018] [http:trace5] [pid 86969:tid 123145425690624]
http_filters.c(1079): [client ::1:59315]   Date: Tue, 20 Mar 2018 15:46:37 GMT
[Tue Mar 20 15:46:37.801790 2018] [http:trace5] [pid 86969:tid 123145425690624]
http_filters.c(1082): [client ::1:59315]   Server: Apache/2.5.1-dev (Unix)
[Tue Mar 20 15:46:37.801889 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315]   Last-Modified: Sun, 06 Nov 2016
05:34:43 GMT
[Tue Mar 20 15:46:37.801915 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315]   ETag: \\"2d-5409b43abe2c0\\"
[Tue Mar 20 15:46:37.801931 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315]   Accept-Ranges: bytes
[Tue Mar 20 15:46:37.801944 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315]   Content-Length: 45
[Tue Mar 20 15:46:37.801972 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315]   X-Test-Header-1: AAAA...
[Tue Mar 20 15:46:37.802032 2018] [http:trace4] [pid 86969:tid 123145425690624]
http_filters.c(900): [client ::1:59315]   X-Test-Header-2: Testing 1 2 3

Proxy trace:
[Tue Mar 20 15:46:37.805911 2018] [http:trace3] [pid 86970:tid 123145344696320]
http_filters.c(1070): [client ::1:59314] Response sent with status 200,
headers:
[Tue Mar 20 15:46:37.805926 2018] [http:trace5] [pid 86970:tid 123145344696320]
http_filters.c(1079): [client ::1:59314]   Date: Tue, 20 Mar 2018 15:46:37 GMT
[Tue Mar 20 15:46:37.805938 2018] [http:trace5] [pid 86970:tid 123145344696320]
http_filters.c(1082): [client ::1:59314]   Server: Apache/2.5.1-dev (Unix)
[Tue Mar 20 15:46:37.805952 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314]   Last-Modified: Sun, 06 Nov 2016
05:34:43 GMT
[Tue Mar 20 15:46:37.805964 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314]   ETag: \\"2d-5409b43abe2c0\\"
[Tue Mar 20 15:46:37.805976 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314]   Accept-Ranges: bytes
[Tue Mar 20 15:46:37.805987 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314]   Content-Length: 45
[Tue Mar 20 15:46:37.806009 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314]   X-Test-Header-1: AAAA...
[Tue Mar 20 15:46:37.806057 2018] [http:trace4] [pid 86970:tid 123145344696320]
http_filters.c(900): [client ::1:59314]   Content-Type: text/html
[Tue Mar 20 15:46:37.806090 2018] [core:trace6] [pid 86970:tid 123145344696320]
util_filter.c(797): [client ::1:59314] reinstate empty brigade to full brigade
in 'req_core' output filter

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org

Reply via email to