You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/03/19 19:43:28 UTC
[Bug 64246] New: Providing incorrect HTTP/1.1 status line causes
unhandled 500 Internal Server Error
https://bz.apache.org/bugzilla/show_bug.cgi?id=64246
Bug ID: 64246
Summary: Providing incorrect HTTP/1.1 status line causes
unhandled 500 Internal Server Error
Product: Apache httpd-2
Version: 2.4.41
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: All
Assignee: bugs@httpd.apache.org
Reporter: marek.sebera@gmail.com
Target Milestone: ---
Discovered while investigating CakePHP issue
https://github.com/cakephp/cakephp/pull/14373#issuecomment-601234866
Using PHP function header("HTTP/1.1 209"); ie. providing non-standard HTTP
Response-Code without Reason-Phrase, causes Apache2 to emit 500 error and not
logging any additional error.
209 is IANA unassigned
https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
RFC says (https://tools.ietf.org/html/rfc7230#section-3.1.2) :
status-line = HTTP-version SP status-code SP reason-phrase CRLF
-------
This has been tested just today with Debian 10 Buster stock builds of Apache2
and PHP 7.3 (using libapache2-mod-php7.3), versions:
Server version: Apache/2.4.38 (Debian)
Server built: 2019-10-15T19:53:42
and
Server version: Apache/2.4.41 (Debian)
Server built: 2019-08-16T19:44:16
PHP 7.3 from Debian Buster (package version 2:7.3+69)
and libapache2-mod-php7.3 (7.3.14-1~deb10u1)
# dpkg -l | grep apache
ii apache2 2.4.41-1~bpo10+1
amd64 Apache HTTP Server
ii apache2-bin 2.4.41-1~bpo10+1
amd64 Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.41-1~bpo10+1
all Apache HTTP Server (common files)
ii apache2-utils 2.4.41-1~bpo10+1
amd64 Apache HTTP Server (utility programs for web servers)
ii libapache2-mod-fcgid 1:2.3.9-4
amd64 FastCGI interface module for Apache 2
ii libapache2-mod-php7.0 7.0.30-0+deb9u1
amd64 server-side, HTML-embedded scripting language (Apache 2 module)
ii libapache2-mod-php7.3 7.3.14-1~deb10u1
amd64 server-side, HTML-embedded scripting language (Apache 2 module)
# apache2ctl -M
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
cgid_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
fcgid_module (shared)
filter_module (shared)
headers_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
-------
AccessLog in such case looks like this
84.xxx.xxx.180 - basic_auth_username [19/Mar/2020:16:02:09 +0100] "GET /logs/
HTTP/1.1" 209 943 "https://app.censored.domain/" "Mozilla/5.0 (X11; Linux
x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4085.12
Safari/537.36"
It logs the correct Status Code provided by PHP, but actually returns full
"HTTP/1.1 500 Internal Server Error" status line to the browser
No other logs are observed in standard error.log, syslog, dmesg or others.
PHP does not log any error as well.
--------
Full communication looks like this:
> wget -S -O - -o - "https://basic_auth_username:ba_password@app.censored.domain/logs/"
--2020-03-19 15:52:01--
https://basic_auth_username:*password*@app.censored.domain/logs/
Resolving app.censored.domain (app.censored.domain)... 193.150.13.226
Connecting to app.censored.domain (app.censored.domain)|193.xxx.xxx.226|:443...
connected.
HTTP request sent, awaiting response...
HTTP/1.1 401 Unauthorized
Date: Thu, 19 Mar 2020 14:52:01 GMT
Server: Apache/2.4.38
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
WWW-Authenticate: Basic realm="Password Protected"
Content-Length: 381
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Authentication selected: Basic realm="Password Protected"
Reusing existing connection to app.censored.domain:443.
HTTP request sent, awaiting response...
HTTP/1.1 500 Internal Server Error
Date: Thu, 19 Mar 2020 14:52:01 GMT
Server: Apache/2.4.38
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
2020-03-19 15:52:01 ERROR 500: Internal Server Error.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org