From: "Ryan Bloom" <[EMAIL PROTECTED]> Sent: Friday, October 26, 2001 1:51 PM
> On Thursday 25 October 2001 08:52 pm, Ryan Bloom wrote: > > > It seems that there is a possibility for DoS on Apache servers > > > when doing a POST. On search.apache.org, I can send the following > > > request: > > > > > > PUT / HTTP/1.1 > > > Host: search.apache.org:80 > > > Content-Length: 1000 > > > <newline here> > > > > > > And just let it sit there forever. search.apache.org is running 2.0.24, > > > and I'm running out of CVS and seeing the same behaviour. Seems bogus to > > > me. > > > > Well, after a few weeks of meaning to look into this, I finally have. Jon, > > you are 100% correct that this does happen. [...] > > Had more time to look at this. It looks like we actually will timeout given enough > time, but by default that time limit is like 10 minutes. I think this can be fixed > by setting the content-length to 0 when we go to serve error pages. I am > attempting this now-ish. ++1... we should never get to the error phase with any request post data remaining. Bill
