You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/03/19 19:43:28 UTC

[Bug 64246] New: Providing incorrect HTTP/1.1 status line causes unhandled 500 Internal Server Error

https://bz.apache.org/bugzilla/show_bug.cgi?id=64246

            Bug ID: 64246
           Summary: Providing incorrect HTTP/1.1 status line causes
                    unhandled 500 Internal Server Error
           Product: Apache httpd-2
           Version: 2.4.41
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: All
          Assignee: bugs@httpd.apache.org
          Reporter: marek.sebera@gmail.com
  Target Milestone: ---

Discovered while investigating CakePHP issue
https://github.com/cakephp/cakephp/pull/14373#issuecomment-601234866

Using PHP function header("HTTP/1.1 209"); ie. providing non-standard HTTP
Response-Code without Reason-Phrase, causes Apache2 to emit 500 error and not
logging any additional error.

209 is IANA unassigned
https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml

RFC says (https://tools.ietf.org/html/rfc7230#section-3.1.2) :
     status-line = HTTP-version SP status-code SP reason-phrase CRLF

-------

This has been tested just today with Debian 10 Buster stock builds of Apache2
and PHP 7.3 (using libapache2-mod-php7.3), versions:

Server version: Apache/2.4.38 (Debian)
Server built:   2019-10-15T19:53:42

and

Server version: Apache/2.4.41 (Debian)
Server built:   2019-08-16T19:44:16

PHP 7.3 from Debian Buster (package version 2:7.3+69)
and libapache2-mod-php7.3 (7.3.14-1~deb10u1)

# dpkg -l | grep apache
ii  apache2                                 2.4.41-1~bpo10+1                   
amd64        Apache HTTP Server
ii  apache2-bin                             2.4.41-1~bpo10+1                   
amd64        Apache HTTP Server (modules and other binary files)
ii  apache2-data                            2.4.41-1~bpo10+1                   
all          Apache HTTP Server (common files)
ii  apache2-utils                           2.4.41-1~bpo10+1                   
amd64        Apache HTTP Server (utility programs for web servers)
ii  libapache2-mod-fcgid                    1:2.3.9-4                          
amd64        FastCGI interface module for Apache 2
ii  libapache2-mod-php7.0                   7.0.30-0+deb9u1                    
amd64        server-side, HTML-embedded scripting language (Apache 2 module)
ii  libapache2-mod-php7.3                   7.3.14-1~deb10u1                   
amd64        server-side, HTML-embedded scripting language (Apache 2 module) 

# apache2ctl -M
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 cgid_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 fcgid_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php7_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

-------
AccessLog in such case looks like this

84.xxx.xxx.180 - basic_auth_username [19/Mar/2020:16:02:09 +0100] "GET /logs/
HTTP/1.1" 209 943 "https://app.censored.domain/" "Mozilla/5.0 (X11; Linux
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4085.12
Safari/537.36"

It logs the correct Status Code provided by PHP, but actually returns full
"HTTP/1.1 500 Internal Server Error" status line to the browser

No other logs are observed in standard error.log, syslog, dmesg or others.
PHP does not log any error as well.

--------
Full communication looks like this:

> wget -S -O - -o - "https://basic_auth_username:ba_password@app.censored.domain/logs/"
--2020-03-19 15:52:01-- 
https://basic_auth_username:*password*@app.censored.domain/logs/
Resolving app.censored.domain (app.censored.domain)... 193.150.13.226
Connecting to app.censored.domain (app.censored.domain)|193.xxx.xxx.226|:443...
connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 401 Unauthorized
  Date: Thu, 19 Mar 2020 14:52:01 GMT
  Server: Apache/2.4.38
  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  WWW-Authenticate: Basic realm="Password Protected"
  Content-Length: 381
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1
Authentication selected: Basic realm="Password Protected"
Reusing existing connection to app.censored.domain:443.
HTTP request sent, awaiting response... 
  HTTP/1.1 500 Internal Server Error
  Date: Thu, 19 Mar 2020 14:52:01 GMT
  Server: Apache/2.4.38
  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  X-Content-Type-Options: nosniff
  X-Frame-Options: sameorigin
  Content-Length: 0
  Keep-Alive: timeout=5, max=99
  Connection: Keep-Alive
  Content-Type: text/html; charset=UTF-8
2020-03-19 15:52:01 ERROR 500: Internal Server Error.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org