Bug 2173276

Summary: httpd 2.4.37-54 breaks compatibility (default LimitRequestBody)
Product: Red Hat Enterprise Linux 9 Reporter: Igor Raits <igor.raits>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED NOTABUG QA Contact: rhel-cs-infra-services-qe <rhel-cs-infra-services-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: bstinson, jorton, jwboyer, luhliari
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-07 14:33:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Igor Raits 2023-02-25 09:31:01 UTC
Description of problem:
https://git.centos.org/rpms/httpd/blob/0ac66abcd8d9406daa7ec6169971d2d8921d77fd/f/SOURCES/httpd-2.4.37-CVE-2022-29404.patch changes default LimitRequestBody from 0 (unlimited) to 1073741824 (1G). This, proposed as security fix, breaks valid use-cases (e.g. mod_dav where you really want to upload big files).

Version-Release number of selected component (if applicable):
2.4.37-54.module_el8.8.0+1256+e1598b50

How reproducible:
Always.

Steps to Reproduce:
1. Upgrade from previous release
2. Try to run your workload (in our case it is uploading big files >1G with mod_dav)

Actual results:
HTTP_REQUEST_ENTITY_TOO_LARGE (HTTP 413) is returned on requests that used to work before.

Expected results:
Either default stays or at least there is some bigger warning "THIS WILL BREAK YOUR SERVICE AFTER UPGRADE". Basically some better visibility to the fact that it will break stuff.

Comment 1 Igor Raits 2023-02-25 09:38:34 UTC
FTR, Upstream commit: https://github.com/apache/httpd/commit/92499e20034485c5e2d29cb85940e309573d976e

Comment 2 Luboš Uhliarik 2023-03-01 20:46:08 UTC
Hello Igor,

we were announcing this change in Release Notes[0] and you can also find info about it in Knowledge Base article[1].

Changing default value was part of the security fix.

[0] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/new-features#enhancement_dynamic-programming-languages-web-and-database-servers
[1] https://access.redhat.com/articles/6975397

Comment 3 Joe Orton 2023-03-07 14:33:11 UTC
As Lubos says we were aware of the impact of this change and it was documented accordingly in the release notes.

Occasionally & regrettably we do need to make changes which can impact behaviour of existing deployments for security reasons.
Feel free to contact Red Hat Support if you need further assistance.