ID: 42404 Comment by: buanzo at buanzo dot com dot ar Reported By: cvitale at us dot ibm dot com Status: Open Bug Type: Apache2 related Operating System: Linux 2.4 PHP Version: 5.2.3 New Comment:
Reproduced in Apache 2.2.4-r10 (Gentoo), PHP-5.2.3. Previous Comments: ------------------------------------------------------------------------ [2007-08-23 21:52:31] cvitale at us dot ibm dot com Description: ------------ I've compiled php to run on Apache 2.0.59 with --with-apxs2. The function php_apache_sapi_read_post in php-5.2.3/sapi/apache2handler/sapi_apache2.c assumes that the call to ap_get_brigade will never return an error that php should give to Apache. This violates Apache best practices. An Apache2 input content filter may return an error, like APR_EGENERAL. I am working on a filter that will reject suspicious input content and return this value. I also set the Apache request_rec status to 403. The requests that are returned have a 403 Forbidden status header and the normal php output body content. If ap_get_brigade returns an apache error php should stop processing. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42404&edit=1