Bug 1419585

Summary: httpd stopped to send error specification in the body
Product: Red Hat Enterprise Linux 6 Reporter: Jan Houska <jhouska>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED WONTFIX QA Contact: Jan Houska <jhouska>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.10CC: bnater, jorton, luhliari
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1433475 1435651 (view as bug list) Environment:
Last Closed: 2017-12-06 10:42:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1433475    

Description Jan Houska 2017-02-06 15:01:13 UTC 
Description of problem:
New version of httpd package stopped to send specification error message in the response body.   

Version-Release number of selected component (if applicable):
httpd-2.2.15-60

How reproducible:
always

Steps to Reproduce:
1. send incorrect request to the httpd 

#  perl -e 'print "GET / HTTP/1.0\n","Cookie: sessioncookie=qwertyuiop0987654321zxcvbnm\n"," ", "A"x8180, "\n\n"' | nc localhost 80
2. see the output



Actual results:

"""
HTTP/1.1 400 Bad Request
Date: Mon, 06 Feb 2017 14:30:24 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at qeos-192.lab.eng.rdu2.redhat.com Port 80</address>
</body></html>
[0 root@qeos-192 CVE-2012-0053-httpd-cookie-exposure-due-to-error-responses]# rpm -qa httpd
httpd-2.2.15-60.el6.x86_64
"""


Expected results:

"""
HTTP/1.1 400 Bad Request
Date: Mon, 06 Feb 2017 14:29:05 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Length: 418
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field after folding exceeds server limit.<br />
<pre>
Cookie
</pre>
</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at qeos-194.lab.eng.rdu2.redhat.com Port 80</address>
</body></html>
[0 root@qeos-194 zk]# rpm -qa httpd
httpd-2.2.15-54.el6_8.x86_64
"""




Additional info:
The bug was found on the errata 2016:25562-01.
Comment 2 Branislav Náter 2017-06-29 09:41:39 UTC 
Another thing I've spottedis that also reasons for rejection
are different for 'long continuation' and 'missing colon' parts of
tests:

'long header line'
old: "Size of a request header field exceeds server limit."
new: "Size of a request header field exceeds server limit."

'long continuation'
old: "Size of a request header field after folding exceeds server limit."
new: "Size of a request header field exceeds server limit."

'missing colon'
old: "Request header field is missing ':' separator."
new: no explanation
Comment 3 Jan Kurik 2017-12-06 10:42:38 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/