Bug 73254

Summary: Request body is buffered in memory
Product: [Retired] Red Hat Public Beta Reporter: Joe Orton <jorton>
Component: phpAssignee: Phil Copeland <copeland>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: nullCC: jorton
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-09-02 19:07:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Orton 2002-09-01 21:29:46 UTC 
The apache2filter SAPI code buffers the entire request body in memory, so if a
POST request a 1gb body is received, the server will try to grow to 1gb as it
receives it.

This allows some kind of DoS attack, though there are far easier ways to deny
service to an Apache server.  LimitRequestBody would help; may be sensible to
set a default in the <Files *.php> block.
Comment 1 Phil Copeland 2002-09-02 18:43:18 UTC 
Hummm
Well actually there is already a limit into php.
We build php with --enable-memory-limit so no single process can do exactly what
you describe here.

the default memory_limit is 8Mb
it's tuneable in /etc/php.ini as the variable 'memory_limit' in the Resource
Limits section.

Are you saying that this is being bypassed?

Oh are you sure about 'LimitRequestBody'? Thats against apache, not php

------
Limit Maximum Size of Request Message Body
Syntax: LimitRequestBody A
Example: LimitRequestBody 512000
Since: Apache 1.3

This directive sets a maximum size (in bytes) for a request message body. The
bytes argument must be an integer between 0 (meaning unlimited) to 2,147,483,647
(2 GB). If the client request exceeds the limit on the allowed size of the HTTP
request message body, the server will return an error response instead of
servicing the request. In this way, the directive gives the server administrator
greater control over abnormal client request behavior, which may help prevent
some forms of denial-of-service attacks.
------

Phil
=--=
Comment 2 Joe Orton 2002-09-02 19:07:37 UTC 
Yes, the PHP memory limit is definitely ignored, sapi_apache2.c is using
realloc() directly to do this, I guess the PHP memory limit is only applied if
you use PHPs emalloc() etc wrappers.

LimitRequestBody should apply because Apache should immediately reject a request
with a large Content-Length if a LimitRequestBody is set; I haven't tested this.
As I say, I don't think this is a high priority problem as there are easier ways
to DoS Apache.
Comment 3 Phil Copeland 2002-09-03 02:59:35 UTC 
Fixed in 4.2.2-8.0.3

Phil
=--=