-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get with 5782 bytes of request headers with 12 header fields over HTTP/2 causes "AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error #201
Comments
Hi @DmitryFrolovTri , I added some log levelling of headers received in current master. If you place that module into your server and set I would guess that Firefox is splitting the |
Hi @icing thank you for your response I will give it a try and respond. am I correct that this is the expected behaviour of the firefox:
instead of
However in principle the current implementation of the check is done differently then would be expected by the http://httpd.apache.org/docs/2.4/mod/core.html#LimitRequestFields documentation LimitRequestFields applies to fields (At least in the doc, not to lines). The default 100 fields (if treated as fields) is enough almost on any type of request, but if treated as lines could start I feel that having a special LimitRequestLines parameter would be redundant. What is your view? |
I think mod_http2 should count the number of unique request header names against LimitRequestFields. This will give more predictable results. So, LimitRequestFieldSize * LimitRequestFields would be the max overall, irregardless of the header formatting. |
Hi, @icing you are right here firefox sends each cookie as it's own line and overflows the default 100 value (we observed 431 on Chrome, so I didn't test but I suppose the same is true there as well):
and this is how curl does it:
Do you believe this is something that could be allocated for someone to fix? |
Hi, @icing!
|
@icing do you know which Apache release this might go to? |
Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879832 13f79535-47bb-0310-9956-ffa450edef68
Update apache24 to 2.4.46 (Apache HTTPD 2.4.46). It fixes several security problems: CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header CVE-2020-11984: mod_uwsgi buffer overlow CVE-2020-11985: CWE-345: Insufficient verification of data authenticity CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header pkgsrc changes: reduce warnings by SUBST_* processing. Changes with Apache 2.4.46 *) mod_proxy_fcgi: Fix build warnings for Windows platform [Eric Covener, Christophe Jaillet] Changes with Apache 2.4.45 *) mod_http2: remove support for abandoned http-wg draft <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. [Stefan Eissing] Changes with Apache 2.4.44 *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard protocol limit). [Yann Ylavic] *) mod_http2: Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. [Stefan Eissing] *) mod_http2: Avoid segfaults in case of handling certain responses for already aborted connections. [Stefan Eissing, Ruediger Pluem] *) mod_http2: The module now handles master/secondary connections and has marked methods according to use. [Stefan Eissing] *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression evaluates to false. PR64365. [Michael König <mail ikoenig.net>] *) mod_proxy_http: flush spooled request body in one go to avoid leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] *) mod_ssl: Fix a race condition and possible crash when using a proxy client certificate (SSLProxyMachineCertificateFile). [Armin Abfalterer <a.abfalterer gmail.com>] *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing] *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG. PR64330 [Stefan Eissing] *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout was configured with a handshake timeout. Fixes gitub issue #196. [Stefan Eissing] *) mod_proxy_http2: the "ping" proxy parameter (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] *) core: httpd is no longer linked against -lsystemd if mod_systemd is enabled (and built as a DSO). [Rainer Jung] *) mod_proxy_http2: respect ProxyTimeout settings on backend connections while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
Changes with Apache 2.4.46 *) SECURITY: CVE-2020-11984 (cve.mitre.org) mod_proxy_uwsgi: Malicious request may result in information disclosure or RCE of existing file on the server running under a malicious process environment. [Yann Ylavic] *) SECURITY: CVE-2020-11993 (cve.mitre.org) mod_http2: when throttling connection requests, log statements where possibly made that result in concurrent, unsafe use of a memory pool. [Stefan Eissing] *) SECURITY: mod_http2: a specially crafted value for the 'Cache-Digest' header request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. [Stefan Eissing, Eric Covener, Christophe Jaillet] *) mod_proxy_fcgi: Fix build warnings for Windows platform Changes with Apache 2.4.45 *) mod_http2: remove support for abandoned http-wg draft <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. [Stefan Eissing] Changes with Apache 2.4.44 *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard protocol limit). [Yann Ylavic] *) mod_http2: Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. [Stefan Eissing] *) mod_http2: Avoid segfaults in case of handling certain responses for already aborted connections. [Stefan Eissing, Ruediger Pluem] *) mod_http2: The module now handles master/secondary connections and has marked methods according to use. [Stefan Eissing] *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression evaluates to false. PR64365. [Michael König <mail ikoenig.net>] *) mod_proxy_http: flush spooled request body in one go to avoid leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] *) mod_ssl: Fix a race condition and possible crash when using a proxy client certificate (SSLProxyMachineCertificateFile). [Armin Abfalterer <a.abfalterer gmail.com>] *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing] *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG. PR64330 [Stefan Eissing] *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout was configured with a handshake timeout. Fixes gitub issue #196. [Stefan Eissing] *) mod_proxy_http2: the "ping" proxy parameter (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] *) core: httpd is no longer linked against -lsystemd if mod_systemd is enabled (and built as a DSO). [Rainer Jung] *) mod_proxy_http2: respect ProxyTimeout settings on backend connections while waiting on incoming data. [Ruediger Pluem, Stefan Eissing] Signed-off-by: Patrick McCarty <[email protected]>
Changes with Apache 2.4.46 *) SECURITY: CVE-2020-11984 (cve.mitre.org) mod_proxy_uwsgi: Malicious request may result in information disclosure or RCE of existing file on the server running under a malicious process environment. [Yann Ylavic] *) SECURITY: CVE-2020-11993 (cve.mitre.org) mod_http2: when throttling connection requests, log statements where possibly made that result in concurrent, unsafe use of a memory pool. [Stefan Eissing] *) SECURITY: mod_http2: a specially crafted value for the 'Cache-Digest' header request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. [Stefen Eissing, Eric Covener, Christophe Jaillet] *) mod_proxy_fcgi: Fix build warnings for Windows platform Changes with Apache 2.4.45 *) mod_http2: remove support for abandoned http-wg draft <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. [Stefan Eissing] Changes with Apache 2.4.44 *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard protocol limit). [Yann Ylavic] *) mod_http2: Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. [Stefan Eissing] *) mod_http2: Avoid segfaults in case of handling certain responses for already aborted connections. [Stefan Eissing, Ruediger Pluem] *) mod_http2: The module now handles master/secondary connections and has marked methods according to use. [Stefan Eissing] *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression evaluates to false. PR64365. [Michael König <mail ikoenig.net>] *) mod_proxy_http: flush spooled request body in one go to avoid leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] *) mod_ssl: Fix a race condition and possible crash when using a proxy client certificate (SSLProxyMachineCertificateFile). [Armin Abfalterer <a.abfalterer gmail.com>] *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing] *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG. PR64330 [Stefan Eissing] *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout was configured with a handshake timeout. Fixes gitub issue #196. [Stefan Eissing] *) mod_proxy_http2: the "ping" proxy parameter (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] *) core: httpd is no longer linked against -lsystemd if mod_systemd is enabled (and built as a DSO). [Rainer Jung] *) mod_proxy_http2: respect ProxyTimeout settings on backend connections while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
www/apache24: security fix Revisions pulled up: - www/apache24/Makefile 1.94 - www/apache24/distinfo 1.44 --- Module Name: pkgsrc Committed By: taca Date: Sun Aug 9 15:01:55 UTC 2020 Modified Files: pkgsrc/www/apache24: Makefile distinfo Log Message: www/apache24: update to 2.4.46 Update apache24 to 2.4.46 (Apache HTTPD 2.4.46). It fixes several security problems: CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header CVE-2020-11984: mod_uwsgi buffer overlow CVE-2020-11985: CWE-345: Insufficient verification of data authenticity CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header pkgsrc changes: reduce warnings by SUBST_* processing. Changes with Apache 2.4.46 *) mod_proxy_fcgi: Fix build warnings for Windows platform [Eric Covener, Christophe Jaillet] Changes with Apache 2.4.45 *) mod_http2: remove support for abandoned http-wg draft <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. [Stefan Eissing] Changes with Apache 2.4.44 *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard protocol limit). [Yann Ylavic] *) mod_http2: Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. [Stefan Eissing] *) mod_http2: Avoid segfaults in case of handling certain responses for already aborted connections. [Stefan Eissing, Ruediger Pluem] *) mod_http2: The module now handles master/secondary connections and has marked methods according to use. [Stefan Eissing] *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression evaluates to false. PR64365. [Michael König <mail ikoenig.net>] *) mod_proxy_http: flush spooled request body in one go to avoid leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] *) mod_ssl: Fix a race condition and possible crash when using a proxy client certificate (SSLProxyMachineCertificateFile). [Armin Abfalterer <a.abfalterer gmail.com>] *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing] *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG. PR64330 [Stefan Eissing] *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout was configured with a handshake timeout. Fixes gitub issue #196. [Stefan Eissing] *) mod_proxy_http2: the "ping" proxy parameter (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] *) core: httpd is no longer linked against -lsystemd if mod_systemd is enabled (and built as a DSO). [Rainer Jung] *) mod_proxy_http2: respect ProxyTimeout settings on backend connections while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
www/apache24: security fix Revisions pulled up: - www/apache24/Makefile 1.94 - www/apache24/distinfo 1.44 --- Module Name: pkgsrc Committed By: taca Date: Sun Aug 9 15:01:55 UTC 2020 Modified Files: pkgsrc/www/apache24: Makefile distinfo Log Message: www/apache24: update to 2.4.46 Update apache24 to 2.4.46 (Apache HTTPD 2.4.46). It fixes several security problems: CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header CVE-2020-11984: mod_uwsgi buffer overlow CVE-2020-11985: CWE-345: Insufficient verification of data authenticity CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header pkgsrc changes: reduce warnings by SUBST_* processing. Changes with Apache 2.4.46 *) mod_proxy_fcgi: Fix build warnings for Windows platform [Eric Covener, Christophe Jaillet] Changes with Apache 2.4.45 *) mod_http2: remove support for abandoned http-wg draft <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. [Stefan Eissing] Changes with Apache 2.4.44 *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard protocol limit). [Yann Ylavic] *) mod_http2: Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. [Stefan Eissing] *) mod_http2: Avoid segfaults in case of handling certain responses for already aborted connections. [Stefan Eissing, Ruediger Pluem] *) mod_http2: The module now handles master/secondary connections and has marked methods according to use. [Stefan Eissing] *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression evaluates to false. PR64365. [Michael König <mail ikoenig.net>] *) mod_proxy_http: flush spooled request body in one go to avoid leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] *) mod_ssl: Fix a race condition and possible crash when using a proxy client certificate (SSLProxyMachineCertificateFile). [Armin Abfalterer <a.abfalterer gmail.com>] *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing] *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG. PR64330 [Stefan Eissing] *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout was configured with a handshake timeout. Fixes gitub issue #196. [Stefan Eissing] *) mod_proxy_http2: the "ping" proxy parameter (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] *) core: httpd is no longer linked against -lsystemd if mod_systemd is enabled (and built as a DSO). [Rainer Jung] *) mod_proxy_http2: respect ProxyTimeout settings on backend connections while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
www/apache24: security fix Revisions pulled up: - www/apache24/Makefile 1.94 - www/apache24/distinfo 1.44 --- Module Name: pkgsrc Committed By: taca Date: Sun Aug 9 15:01:55 UTC 2020 Modified Files: pkgsrc/www/apache24: Makefile distinfo Log Message: www/apache24: update to 2.4.46 Update apache24 to 2.4.46 (Apache HTTPD 2.4.46). It fixes several security problems: CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header CVE-2020-11984: mod_uwsgi buffer overlow CVE-2020-11985: CWE-345: Insufficient verification of data authenticity CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header pkgsrc changes: reduce warnings by SUBST_* processing. Changes with Apache 2.4.46 *) mod_proxy_fcgi: Fix build warnings for Windows platform [Eric Covener, Christophe Jaillet] Changes with Apache 2.4.45 *) mod_http2: remove support for abandoned http-wg draft <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. [Stefan Eissing] Changes with Apache 2.4.44 *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard protocol limit). [Yann Ylavic] *) mod_http2: Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. [Stefan Eissing] *) mod_http2: Avoid segfaults in case of handling certain responses for already aborted connections. [Stefan Eissing, Ruediger Pluem] *) mod_http2: The module now handles master/secondary connections and has marked methods according to use. [Stefan Eissing] *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression evaluates to false. PR64365. [Michael König <mail ikoenig.net>] *) mod_proxy_http: flush spooled request body in one go to avoid leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] *) mod_ssl: Fix a race condition and possible crash when using a proxy client certificate (SSLProxyMachineCertificateFile). [Armin Abfalterer <a.abfalterer gmail.com>] *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing] *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG. PR64330 [Stefan Eissing] *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout was configured with a handshake timeout. Fixes gitub issue #196. [Stefan Eissing] *) mod_proxy_http2: the "ping" proxy parameter (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] *) core: httpd is no longer linked against -lsystemd if mod_systemd is enabled (and built as a DSO). [Rainer Jung] *) mod_proxy_http2: respect ProxyTimeout settings on backend connections while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
Hi,
with apache setting of LimitRequestFields = 100 (default) on HTTP/2 processing a get request with 12 header fields and 5782 bytes causes AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error triggered by this code
mod_h2/mod_http2/h2_stream.c
Line 719 in 02239fc
oh and apache versions where the issue is happening is 2.4.43:
Browser is Firefox/68.0, also was reproduced in later versions of it.
Please could you review the code that calculates the number of headers as it clearly calculates more of them in our case then we really have. Screenshot how it looks in firefox:
P.S. downgrading to HTTP/1.1 via "Protocols http/1.1" fixes the issue, staying on "Protocols h2" and setting LimitRequestFields to 103 allows the request to succeed with 200. The below is the raw headers of the request (GET / HTTP/2) I sent from firefox, host modified
The text was updated successfully, but these errors were encountered: