On Thu, 20 Jun 2002, Lupe Christoph wrote: > On Thursday, 2002-06-20 at 18:22:10 +0400, Igor Sysoev wrote: > > On Thu, 20 Jun 2002, Lupe Christoph wrote: > > > > > and the mod_perl module seems to prevent the crash: > > > > > > > telnet proxy.customer.de 80 > > > > Trying 213.155.64.138... > > > > Connected to proxy.customer.de. > > > > Escape character is '^]'. > > > > POST /x.html HTTP/1.1 > > > > Host: proxy.customer.de > > > > Transfer-Encoding: chunked > > > > > > > > 80000000 > > > > Rapid 7 > > > > 0 > > > > > > > > > > > > ^] > > > > telnet> Connection closed. > > > > > > Does mod_perl do it's own de-chunking? > > > So mod_perl does not return any response ? > > > There are two ways to prevent crush with particular URI: > > 1. return 411 error if client send chunked body (standard mod_proxy, > > mod_cgi and mod_isapi do it); > > 2. ignore body at all. > > > I suspect second in your case. > > Sorry that is not the answer to my question - the question is if my > code gets a chance to do *anything*, or will the httpd code just > crash at a later time? It does not crash like a non-mod_perl httpd.
I think if you Apache does not send any response then it vulnerable with this particular URI. I've tried you request with plain Apache - one process starting to eat CPU without faults. Igor Sysoev http://sysoev.ru
