Date: Wed, 13 Jan 2010 21:27:07 GMT From: Sergey Prikhodko <sergey@network-asp.biz> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/142795: mod_fcgid broken large form uploads Message-ID: <201001132127.o0DLR70O017843@www.freebsd.org> Resent-Message-ID: <201001132130.o0DLU2Kv054259@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 142795 >Category: ports >Synopsis: mod_fcgid broken large form uploads >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Jan 13 21:30:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Sergey Prikhodko >Release: 7.2-RELEASE-p47.2-RELEASE-p4 >Organization: Network-ASP >Environment: FreeBSD xeon.office.network-asp.biz 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct 2 12:21:39 UTC 2009 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >Description: from http://svn.apache.org/viewvc?view=revision&revision=826829: Fix possible corruption or truncation of request bodies which exceed FcgidMaxRequestInMem. If the entire excess had been read from the brigade at the time the limit was exceeded, the bug would be avoided. This is a regression since mod_fcgid 2.2, which effectively ignored FcgidMaxRequestInMem if larger than 8K, since it reset the cumulative request_len counter each time it obtained an input brigade of up to HUGE_STRING_LEN bytes. >How-To-Repeat: try upload large file (>64kb) >Fix: http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bridge.c?r1=826829&r2=826828&pathrev=826829&view=patch see attached patch Patch attached with submission follows: diff -ruN mod_fcgid.orig/files/patch-modules-fcgid-fcgid_bridge.c mod_fcgid/files/patch-modules-fcgid-fcgid_bridge.c --- mod_fcgid.orig/files/patch-modules-fcgid-fcgid_bridge.c 1970-01-01 03:00:00.000000000 +0300 +++ mod_fcgid/files/patch-modules-fcgid-fcgid_bridge.c 2010-01-13 23:16:36.000000000 +0200 @@ -0,0 +1,39 @@ +--- ./modules/fcgid/fcgid_bridge.c.orig 2009-10-07 14:37:11.000000000 +0300 ++++ ./modules/fcgid/fcgid_bridge.c 2010-01-13 23:15:11.000000000 +0200 +@@ -448,7 +448,6 @@ + int seen_eos; + apr_off_t request_size = 0; + apr_file_t *fd = NULL; +- int need_truncate = 1; + apr_off_t cur_pos = 0; + FCGI_Header *stdin_request_header; + apr_bucket_brigade *output_brigade; +@@ -548,6 +547,15 @@ + apr_pool_userdata_get(&tmp, fd_key, + r->connection->pool); + fd = tmp; ++ ++ if (fd != NULL) { ++ if ((rv = apr_file_trunc(fd, 0)) != APR_SUCCESS) { ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rv, r, ++ "mod_fcgid: can't truncate existing " ++ "temporary file"); ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } ++ } + } + + if (fd == NULL) { +@@ -574,11 +582,8 @@ + apr_pool_userdata_set((const void *) fd, fd_key, + apr_pool_cleanup_null, + r->connection->pool); +- } else if (need_truncate) { +- need_truncate = 0; +- apr_file_trunc(fd, 0); +- cur_pos = 0; + } ++ + // Write request to tmp file + if ((rv = + apr_file_write_full(fd, (const void *) data, len, >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201001132127.o0DLR70O017843>