Am 02.10.2014 um 22:36 schrieb Joe Orton: > On Wed, Oct 01, 2014 at 02:16:17PM -0400, Eric Covener wrote: >> The default handler (static file handler) is a fall-through, and there is >> not currently a way to tell it NOT to respond for something because a >> configured module unexpectedly passed control back. It is a relatively >> easy opt-in feature to add, but not something that is safe for a shipped >> release to change by default. > > The PHP SAPI doesn't handle any errors while reading request body data > (php_apache_sapi_read_post), which it should. The result of that is > that the PHP script is executed as normal, and you get a 413 response > with the ErrorDocument first, then the script output. > > I can't see any more serious bug here, Reindl, we lack a working repro > case for dumping unprocessed source here. Can you reproduce without > mod_security loaded/configured? Something must be de-configuring the > mod_php handler, and I can't imagine how exactly that is happening
i need to modify several configurations to make mod_security conditional and will give feedback as soon that has happened is there any useful way in case of httpd-prefork to get an strace showing what happens internally on non-debug builds? maybe it's something obvious in the direction "why is B even called after A" however, control that by modsec gives you even the option to select the status code without leak source code - if a module can do that why not the core itself unconditional?
signature.asc
Description: OpenPGP digital signature