Red Hat Bugzilla – Bug 73254
Request body is buffered in memory
Last modified: 2007-04-18 12:46:16 EDT
The apache2filter SAPI code buffers the entire request body in memory, so if a
POST request a 1gb body is received, the server will try to grow to 1gb as it
This allows some kind of DoS attack, though there are far easier ways to deny
service to an Apache server. LimitRequestBody would help; may be sensible to
set a default in the <Files *.php> block.
Well actually there is already a limit into php.
We build php with --enable-memory-limit so no single process can do exactly what
you describe here.
the default memory_limit is 8Mb
it's tuneable in /etc/php.ini as the variable 'memory_limit' in the Resource
Are you saying that this is being bypassed?
Oh are you sure about 'LimitRequestBody'? Thats against apache, not php
Limit Maximum Size of Request Message Body
Syntax: LimitRequestBody A
Example: LimitRequestBody 512000
Since: Apache 1.3
This directive sets a maximum size (in bytes) for a request message body. The
bytes argument must be an integer between 0 (meaning unlimited) to 2,147,483,647
(2 GB). If the client request exceeds the limit on the allowed size of the HTTP
request message body, the server will return an error response instead of
servicing the request. In this way, the directive gives the server administrator
greater control over abnormal client request behavior, which may help prevent
some forms of denial-of-service attacks.
Yes, the PHP memory limit is definitely ignored, sapi_apache2.c is using
realloc() directly to do this, I guess the PHP memory limit is only applied if
you use PHPs emalloc() etc wrappers.
LimitRequestBody should apply because Apache should immediately reject a request
with a large Content-Length if a LimitRequestBody is set; I haven't tested this.
As I say, I don't think this is a high priority problem as there are easier ways
to DoS Apache.
Fixed in 4.2.2-8.0.3