On Wed, Oct 1, 2014 at 1:05 PM, Reindl Harald <h.rei...@thelounge.net> wrote:
> mod_security and " > > SecRequestBodyLimit" works as expected > blocking the request - so it hardly is a bug in mod_php > which should not be called at all if "LimitRequestBody" > takes action > SecRequestBodyLimit reads the content-length in a hook that precedes PHPs handler. LimitRequestBody acts as a filter during the read of the body during the execution of the PHP handler. To me, this does not exonerate mod_php, it implicates it. I suspect your source code is served because PHP swallowed the LimitRequestBody and then passed control back to Apache. I'm fairly certain I responded to you privately with similar information already. The default handler (static file handler) is a fall-through, and there is not currently a way to tell it NOT to respond for something because a configured module unexpectedly passed control back. It is a relatively easy opt-in feature to add, but not something that is safe for a shipped release to change by default.