Bug 73254 - Request body is buffered in memory
Summary: Request body is buffered in memory
Alias: None
Product: Red Hat Public Beta
Classification: Retired
Component: php   
(Show other bugs)
Version: null
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Phil Copeland
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2002-09-01 21:29 UTC by Joe Orton
Modified: 2007-04-18 16:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-09-02 19:07:43 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Joe Orton 2002-09-01 21:29:46 UTC
The apache2filter SAPI code buffers the entire request body in memory, so if a
POST request a 1gb body is received, the server will try to grow to 1gb as it
receives it.

This allows some kind of DoS attack, though there are far easier ways to deny
service to an Apache server.  LimitRequestBody would help; may be sensible to
set a default in the <Files *.php> block.

Comment 1 Phil Copeland 2002-09-02 18:43:18 UTC
Well actually there is already a limit into php.
We build php with --enable-memory-limit so no single process can do exactly what
you describe here.

the default memory_limit is 8Mb
it's tuneable in /etc/php.ini as the variable 'memory_limit' in the Resource
Limits section.

Are you saying that this is being bypassed?

Oh are you sure about 'LimitRequestBody'? Thats against apache, not php

Limit Maximum Size of Request Message Body
Syntax: LimitRequestBody A
Example: LimitRequestBody 512000
Since: Apache 1.3

This directive sets a maximum size (in bytes) for a request message body. The
bytes argument must be an integer between 0 (meaning unlimited) to 2,147,483,647
(2 GB). If the client request exceeds the limit on the allowed size of the HTTP
request message body, the server will return an error response instead of
servicing the request. In this way, the directive gives the server administrator
greater control over abnormal client request behavior, which may help prevent
some forms of denial-of-service attacks.


Comment 2 Joe Orton 2002-09-02 19:07:37 UTC
Yes, the PHP memory limit is definitely ignored, sapi_apache2.c is using
realloc() directly to do this, I guess the PHP memory limit is only applied if
you use PHPs emalloc() etc wrappers.

LimitRequestBody should apply because Apache should immediately reject a request
with a large Content-Length if a LimitRequestBody is set; I haven't tested this.
As I say, I don't think this is a high priority problem as there are easier ways
to DoS Apache.

Comment 3 Phil Copeland 2002-09-03 02:59:35 UTC
Fixed in 4.2.2-8.0.3


Note You need to log in before you can comment on or make changes to this bug.