Am 01.10.2014 um 20:19 schrieb Eric Covener: > On Wed, Oct 1, 2014 at 2:16 PM, Eric Covener <cove...@gmail.com > <mailto:cove...@gmail.com>> wrote: > > To me, this does not exonerate mod_php, it implicates it. I suspect your > source code is served because PHP > swallowed the LimitRequestBody and then passed control back to Apache. > I'm fairly certain I responded to you > privately with similar information already. > > I should add that I don't understand your scenario completely, where the > file is not processed. I think my own > test result was the same as Yehuda ITT which is not the same as what I just > described with the default handler > taking over
i don't know what happens internally just that "SecRequestBodyLimit" opens a large security hole because on just needs to send large data to any script on the server to get the source, even scripts only working as includes and contain credentials IMHO if a restriciton like "SecRequestBodyLimit" is triggered any output should be thrown away and the error handler called delivering the 403 default error page
signature.asc
Description: OpenPGP digital signature