Bug 1419585 - httpd stopped to send error specification in the body
Summary: httpd stopped to send error specification in the body
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: httpd
Version: 6.10
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik
QA Contact: Jan Houska
URL:
Whiteboard:
Depends On:
Blocks: 1433475
TreeView+ depends on / blocked
 
Reported: 2017-02-06 15:01 UTC by Jan Houska
Modified: 2017-12-06 10:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1433475 1435651 (view as bug list)
Environment:
Last Closed: 2017-12-06 10:42:38 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jan Houska 2017-02-06 15:01:13 UTC
Description of problem:
New version of httpd package stopped to send specification error message in the response body.   

Version-Release number of selected component (if applicable):
httpd-2.2.15-60

How reproducible:
always

Steps to Reproduce:
1. send incorrect request to the httpd 

#  perl -e 'print "GET / HTTP/1.0\n","Cookie: sessioncookie=qwertyuiop0987654321zxcvbnm\n"," ", "A"x8180, "\n\n"' | nc localhost 80
2. see the output



Actual results:

"""
HTTP/1.1 400 Bad Request
Date: Mon, 06 Feb 2017 14:30:24 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Length: 325
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at qeos-192.lab.eng.rdu2.redhat.com Port 80</address>
</body></html>
[0 root@qeos-192 CVE-2012-0053-httpd-cookie-exposure-due-to-error-responses]# rpm -qa httpd
httpd-2.2.15-60.el6.x86_64
"""


Expected results:

"""
HTTP/1.1 400 Bad Request
Date: Mon, 06 Feb 2017 14:29:05 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Length: 418
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field after folding exceeds server limit.<br />
<pre>
Cookie
</pre>
</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at qeos-194.lab.eng.rdu2.redhat.com Port 80</address>
</body></html>
[0 root@qeos-194 zk]# rpm -qa httpd
httpd-2.2.15-54.el6_8.x86_64
"""




Additional info:
The bug was found on the errata 2016:25562-01.

Comment 2 Branislav Náter 2017-06-29 09:41:39 UTC
Another thing I've spottedis that also reasons for rejection
are different for 'long continuation' and 'missing colon' parts of
tests:

'long header line'
old: "Size of a request header field exceeds server limit."
new: "Size of a request header field exceeds server limit."

'long continuation'
old: "Size of a request header field after folding exceeds server limit."
new: "Size of a request header field exceeds server limit."

'missing colon'
old: "Request header field is missing ':' separator."
new: no explanation

Comment 3 Jan Kurik 2017-12-06 10:42:38 UTC
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/


Note You need to log in before you can comment on or make changes to this bug.