You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/12/22 06:59:47 UTC

DO NOT REPLY [Bug 41231] New: - SSL: using connection: upgrade leaves plaintext from PHP in reply

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41231>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41231

           Summary: SSL: using connection: upgrade leaves plaintext from PHP
                    in reply
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Keywords: TryAgain
          Severity: major
          Priority: P3
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: michael@maxspot.de


I'm issuing a request:

GET /index.php HTTP/1.1
Host: localhost
Upgrade: TLS/1.0
Connection: upgrade

And my client crashes because it can't parse the plaintext given back by 
index.php (which contains <?php for ($i = 0; $i < 10; $i++) echo "foobar"; ?>). 
In strace it's clearly visible:
[pid 16349] recv(8,
"\24\3\1\0\1\1\26\3\1\0000f\212W\335\273\16L\352\357\3054\32\204\311\376
\264a4l\3670\17\303e\224\202\370!\361\271\311\320\360\356\210ZN\255w\314
~\351\377=}\250irfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar",
2048, 0) = 119

If an OPTION * HTTP/1.1-request is sent before, it correctly switches and 
processes the next request.

You can reproduce it by using tlsupgrade.c:
Get http://people.apache.org/~bnicholes/tlsupgrade/tlsupgrade.c
Compile it with gcc -lssl -o tlsupgrade tlsupgrade.c
Run it using: strace -s 2048 ./tlsupgrade http://localhost/index.php
SSLEngine needs to be set to optional for the vhost (on port 80).

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41231] - SSL: using connection: upgrade leaves plaintext from PHP in reply

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41231>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41231


jorton@redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From jorton@redhat.com  2007-11-06 07:03 -------
Fixed on trunk:  http://svn.apache.org/viewvc?view=rev&revision=592446

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41231] - SSL: using connection: upgrade leaves plaintext from PHP in reply

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41231>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41231


michael@maxspot.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
     Ever Confirmed|0                           |1




------- Additional Comments From michael@maxspot.de  2006-12-23 10:02 -------
Apparantly the APR_BUCKET_IS_EOC is true for some reason, so 
ssl_filter_io_shutdown is called and the result is not filtered via SSL 
anymore. Before APR_BUCKET_IS_EOC is true, ssl_filter_write (which is called 
when APR_BUCKET_IS_EOC is not true) is called two times with NULL as data-
pointer. 

I don't know if this is normal behaviour and i'm not very into debugging 
apache, but maybe it gives a hint to the developers.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org