[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug in mod_ratelimit?

Hi again Cory,

2018-07-19 19:02 GMT+02:00 Cory McIntire <cory@xxxxxxxxxx>:
Hi Luca,

Sorry for quick reply but we were able to replicate it just now:

# setup a brand new install of wp on a domain (don't have to go through the 'db' setup process, just configure wp-config.php to get to install.php redirect)
# install mod_ratelimit, and setup a vhost.conf with the ratelimit config for the domain
# restart apache
# visit site, see you are getting the "redirect" content instead of actually being redirected:

        •  curl -H'Host: cptestaddon.com'
        • HTTP/1.1 302 Moved Temporarily
        • Date: Thu, 19 Jul 2018 16:47:07 GMT
        • Server: Apache
        • X-Powered-By: PHP/5.6.36
        • Expires: Wed, 11 Jan 1984 05:00:00 GMT
        • Cache-Control: no-cache, must-revalidate, max-age=0
        • Pragma: no-cache
        • Location: http://cptestaddon.com/wp-admin/install.php
        • Transfer-Encoding: chunked
        • Content-Type: text/html; charset=UTF-8
        • 0

It is any CGI app but WP was an easy target to replicate on.

I can see the same thing with a simple php script that says "this is a test" on my testing environment:

vagrant@stretch:~$ curl -k https://localhost/test.php
HTTP/1.1 200 OK
Date: Thu, 19 Jul 2018 18:15:09 GMT
Server: Apache/2.4.34-dev (Unix) OpenSSL/1.1.0f
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

this is a test!

(Note the zero at the end)

So this is a bug introduced by the latest patch for sure, but I still have no idea where it comes from. I apologize for this issue, I was convinced that the new code was tested but apparently I missed the most basic use cases.

Yann, any idea?