Am 01.10.2014 um 20:36 schrieb Eric Covener: > On Wed, Oct 1, 2014 at 2:24 PM, Reindl Harald <h.rei...@thelounge.net > <mailto:h.rei...@thelounge.net>> wrote: > > i don't know what happens internally > > That's what's on-topic for the development list
agreed - but ship source code to a client is serious and in that case easily controlled by any client with enough upstream to send some 100 MB of data to a specific URL in case of open source systems with known config paths it reverses the option to the opposite of admins intention > just that "SecRequestBodyLimit" opens a large security hole > because on just needs to send large data to any script > on the server to get the source, even scripts only > working as includes and contain credentials > > IMHO if a restriciton like "SecRequestBodyLimit" is triggered > any output should be thrown away and the error handler called > delivering the 403 default error page > > I think you mean LimitRequestBody indeed - sorry - that's the modsec value working as expected > I don't think anyone has done enough homework to see what goes wrong under > mod_php to see if a change to LimitRequestBody is needed. It currently > detects the size breach and returns an error to whoever is reading the body. > In other words handlers have access to all kinds of filter errors, > so changes there are intrusive agreed - sorry that i can't do the needed homework
signature.asc
Description: OpenPGP digital signature