osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug in mod_ratelimit?


On Thu, Jul 19, 2018 at 2:23 PM Luca Toscano <toscano.luca@xxxxxxxxx> wrote:
>
> Hi again Cory,
>
> 2018-07-19 19:02 GMT+02:00 Cory McIntire <cory@xxxxxxxxxx>:
>>
>> Hi Luca,
>>
>> Sorry for quick reply but we were able to replicate it just now:
>>
>> # setup a brand new install of wp on a domain (don't have to go through the 'db' setup process, just configure wp-config.php to get to install.php redirect)
>> # install mod_ratelimit, and setup a vhost.conf with the ratelimit config for the domain
>> # restart apache
>> # visit site, see you are getting the "redirect" content instead of actually being redirected:
>>
>>         •  curl -H'Host: cptestaddon.com' http://10.215.218.12/
>>         • HTTP/1.1 302 Moved Temporarily
>>         • Date: Thu, 19 Jul 2018 16:47:07 GMT
>>         • Server: Apache
>>         • X-Powered-By: PHP/5.6.36
>>         • Expires: Wed, 11 Jan 1984 05:00:00 GMT
>>         • Cache-Control: no-cache, must-revalidate, max-age=0
>>         • Pragma: no-cache
>>         • Location: http://cptestaddon.com/wp-admin/install.php
>>         • Transfer-Encoding: chunked
>>         • Content-Type: text/html; charset=UTF-8
>>         • 0
>>
>> It is any CGI app but WP was an easy target to replicate on.
>>
>
> I can see the same thing with a simple php script that says "this is a test" on my testing environment:
>
> vagrant@stretch:~$ curl -k https://localhost/test.php
> HTTP/1.1 200 OK
> Date: Thu, 19 Jul 2018 18:15:09 GMT
> Server: Apache/2.4.34-dev (Unix) OpenSSL/1.1.0f
> Transfer-Encoding: chunked
> Content-Type: text/html; charset=UTF-8
>
> this is a test!
> 0
>
> (Note the zero at the end)
>

You think that's weird, I see a chunk length before the status line
when using a raw socket:

$ printf "GET /cgi-bin/test-cgi HTTP/1.1\r\nHost: foo\r\n\r\n" | nc 0 80
23a
HTTP/1.1 200 OK
Date: Thu, 19 Jul 2018 19:12:05 GMT
Server: Apache/2.4.34-dev (Unix) OpenSSL/1.1.0g
Transfer-Encoding: chunked
Content-Type: text/plain

CGI/1.0 test script report:

argc is 0. argv is .

SERVER_SOFTWARE = Apache/2.4.34-dev (Unix) OpenSSL/1.1.0g
SERVER_NAME = foo
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.1
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING =
REMOTE_HOST =
REMOTE_ADDR = 127.0.0.1
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =

0


> So this is a bug introduced by the latest patch for sure, but I still have no idea where it comes from. I apologize for this issue, I was convinced that the new code was tested but apparently I missed the most basic use cases.
>
> Yann, any idea?
>
> Luca



-- 
Eric Covener
covener@xxxxxxxxx