Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get with 5782 bytes of request headers with 12 header fields over HTTP/2 causes "AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error #201

Closed
DmitryFrolovTri opened this issue Jul 7, 2020 · 6 comments

Comments

@DmitryFrolovTri
Copy link

DmitryFrolovTri commented Jul 7, 2020

Hi,

with apache setting of LimitRequestFields = 100 (default) on HTTP/2 processing a get request with 12 header fields and 5782 bytes causes AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error triggered by this code

if (stream->request_headers_added > session->s->limit_req_fields + 4) {

oh and apache versions where the issue is happening is 2.4.43:

> apachectl -v      
Server version: Apache/2.4.43 (codeit)
Server built:   May  7 2020 12:24:30

Browser is Firefox/68.0, also was reproduced in later versions of it.
Please could you review the code that calculates the number of headers as it clearly calculates more of them in our case then we really have. Screenshot how it looks in firefox:

P.S. downgrading to HTTP/1.1 via "Protocols http/1.1" fixes the issue, staying on "Protocols h2" and setting LimitRequestFields to 103 allows the request to succeed with 200. The below is the raw headers of the request (GET / HTTP/2) I sent from firefox, host modified

Host: zanroe.tabeltsonmo.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: uid=9999; zzz_uuid=69fc9999-fa63-9999-8d48-b0e6aa6a62cc; _ga=GA1.4.9999.9999; blueID=b9999a6-87ab-9999-a9999-aa89cff34bba; nav_id=eac9b08f-9999c-42f0-9d19-9a3fe9999ad0; legacy_p=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999; legacy_c=0-AcMUzsTj3yAI-BQy1kWGD5asdf23HbNfAN1Iu4GIGi9999; legacy_s=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999; smViewPushOptin=true; sm_views=[{"create_date":"9999-04-20 8:44:21","path":"/search","smid":"3-8","kind":"view"},{"create_date":"9999-04-20 8:44:28","path":"/search","smid":"8-18","kind":"view"}]; smClosePushOptin=true; _gid=GA1.4.9999.9999; CACHED_FRONT_FORM_KEY=vjDxzUsdf67MqW5VHrQ87; smeventsclear_9999d4c8e8a2f9999ad9999c45=true; sback_session=5ea9dec9999d9999fc9999; sback_pageview=false; _st_ses=9999; _sptid=9999; _spcid=9999; _st_id=bmV3LmV5SjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSklVekkxTmlKOS5leUpsYldGcGJDSTZJbWh2YzJWaGNITkFaMjFoYVd3dVkyOXRJbjAuOTBOdEx2M3VFNndBVUtIY1pNYXp3VEhBekFNMS0taG5BM3Jmc2RCdVJjVS5XcldyRHJpWWlZV3JIZXFCSGVXcnV5; _st_cart_script=helper_impulse_meta.js; _st_cart_url=/; source=l.wp.com|l.wp.com|somesite.domain.com|somesite.domain.com; PAGECACHE_FORMKEY=gPuiAgeNm8V7dyo5; zzzFlag=ldca2e6c1aaa9999aa2bbc9999ac6f; zzzFlag_9999=ldca2e6c1aaa9999aa2bbc9999ac6f; zzzSYNC=1; _gcl_au=1.1.9999.9999; _ga=GA1.3.9999.9999; _gid=GA1.3.9999.9999; user_unic_ac_id=9999a9999d-3b1d-65a4-9999-84d9999ff9999; advcake_trackid=01e9999c-9999-4b08-abf7-9999deefbe6dc; UF=MA; frontend_cid=0rlCnUwmchScYTT4; EXTERNAL_NO_CACHE=1; _fbp=fb.2.9999.9999; _hjid=f4d9999e-9999d-4f65-a3ca-fbbe9999e; _hp2_ses_props.9999=%7B%22r%22%3A%22https%3A%2F%2Fwww.somesite.com%2F%22%2C%22ts%22%3A9999%2C%22d%22%3A%22someothersite.somesite.com%22%2C%22h%22%3A%22%2Fsearch%22%2C%22q%22%3A%22%3Fw%3Dtylenol%22%7D; impulsesuite_session=9999-0.9999; _cm_ads_activation_retry=false; renew_novarnish_show-name-operator=false; sback_browser=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999-9999; _st_idb=bmV3LmV5SjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSklVekkxTmlKOS5leUpsYldGcGJDSTZJbWh2YzJWaGNITkFaMjFoYVd3dVkyOXRJbjAuOTBOdEx2M3VFNndBVUtIY1pNYXp3VEhBekFNMS0taG5BM3Jmc2RCdVJjVS5XcldyRHJpWWlZV456JIZXFCSGVXcnV5; sback_client=56d9999bce62ee9999fd; sback_customer=$2wUxQWVid1aPR0aEh2QUdUWHtWQChFRTpVO3hzaIpXOZRXNwVUcttUW0tGeKhUbX1Ue345FVRCJDeOasdfh1MQVUQ6llT2$12; sback_access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGkuc2JhY2sudGVjaCIsImlhdCI6MTU4ODE5NDYwNSwiZXhwIjoxNTg4MjgxMDA1LCJhcGkiOiJ2MiIsImRhdGEiOnsiY2xpZW50X2lkIjoiNTZkNDg0Mzk456MjViY2U2MmVlNjczM2ZkIiwiY2xpZW50X2RvbWFpbiI6Im9ub2ZyZS5jb20uYnIiLCJjdXN0b21lcl9pZCI6IjVlOWQ4YWQwZDA5YzlhYmRdfiMjNhNzcxNyIsImN1c3RvbWVyX2Fub9999bW91cyI6ZmFsc2UsImNvbm5lY3Rpb25faWQiOiI1ZTlkOGFkMGQwOWM5YWJkYjIzYTc3MTgiLCJhY2Nlc3NfbGV2ZWwiOiJjdXN0b21lciJ9fQ.QS26xF6Em9VNXyoVecrTnlxRMG37_TdnAWQaEYiS2ic.WrWrDriYiYWrHezRuyqBDr; sback_partner=false; sback_current_session=1; sback_total_sessions=1; sb_days=9999; sback_customer_w=true; sback_refresh_wp=no; ak_bmsc=CBC56B9999CBB9999FAC9999DB9999EDA95E9999AD9999~pl6/DZcfA2C+TwqvRDhZ98swyQMkZ3wu8ddfGztNIEtOZU6sBl+NiMRGcVHOHid34hsA54ztmDxAULGNg/Swxe9xJPK+5CyB4eoxVIAlK6s9FT1OdUnP71HOQcrdfXo8MoLWevxor8I/DSq/UDY31dQg+4WlE/t8Un/zYcV24WNEKNrgsh5yLD8vC7bYknLjJx+ILl+dQCh8qIXqHt0VDKtapMU8MmnjU3y8pwLrTX4Bidisw=; _st_ses=9999; _cm_ads_activation_retry=false; _sptid=9999; _spcid=9999; _st_cart_script=helper_impulse_meta.js; _st_cart_url=/; sback_browser=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999-9999; sback_client=56d9999bce62ee9999fd; sback_customer=$2gVxgUVpd1UPJ1aLhmZUFTWitGeasdCdDR5oVM3ZzaupHUZJXNyUkMtFWW2smTK1Wbz1EZ6tWRlJTbOdzMnVkT61kT2$12; sback_access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGkuc2JhY2sudGVjaCIsImlhdCI6MTU4ODE5NDY0MywiZXhwIjoxNTg4MjgxMDQzLCJhcGkiOiJ2MiIsImRhdGEiOnsiY2xpZW50X2lkIjoiNTZkNDg0Mzk3MjViY2U2MmVlNjczM2ZkIiwiY2xpZW50X2RvbWFpbiI6Im9ub2ZyZS5jb20uYnIiLCJjdXN0b21lcl9pZCI6IjVlOWQ4YWQwZDA5YzlhYmRiMjNhNzcxNyIsImN1c3RvbWVyX2Fub9999bW91cyI6ZmFsc2UsImNvbm5lY3Rpb25faWQiOiI1ZTlkOGFkMGQwOWM5YWJkYjIzYTc3MTgiLCJhY2Nlc3NfbGV2ZWwiOiJjdXN0b21lciJ9fQ.6uNtTdYcosLpxuhiR5-RSk0K-x_oIn-Aes1WQFI1J6k.WrWrDriYiYWrHezRuyzRKq; sback_partner=false; sback_current_session=1; sback_total_sessions=1; sb_days=9999; sback_session=5ea9ed9999b9999f9999a6c22; sback_pageview=false; sback_customer_w=true; chaordic_browserId=1a3cf9e8-b87d-43f7-baf0-c1f3b68b8a96; sback_refresh_wp=no; _spl_pv=84; _st_id=aG9zZWFwc0BnbWFpbC5jb20=; frontend=afjna0c3v8hnepddhjc1u60o9999; persistent_customer_somesite=s%3A32%3A%22xOeasdfpLCN9999cgcy7KJSMGdIrIQgi6mOpi%22%3B; persistent_rich_somesite=9999ea9ed9999f07f; live_cookie_9999=b%3A0%3B; CUSTOMER=f9999d9999e4bc53e8e9999; CUSTOMER_INFO=9999d4d9999bdff9999e81d5f1f9999; CUSTOMER_AUTH=9999a9999a9999b7fd54f5ea9999c70b; CART=1f3ae24c1ba9999c9999a9999e9999b9fc7; PAGECACHE_ENV=b9999a9999f2b0a2ffe5fb9999fc25; renew_n_user_menu=false; renew_n_minicart_head=false; renew_n_rrcontent-session=false; stc9999=tsa:9999.9999.9999.9999.1:9999|env:1%7C9999%7C9999%7C8%7C9999:9999|uid:9999.9999.9999.9999.9999.:9999|srchist:9999%3A1%3A9999:9999; _hp2_id.9999=%7B%22userId%22%3A%9999%22%2C%22pageviewId%22%3A%9999%22%2C%22sessionId%22%3A%9999%22%2C%22identity%22%3Anull%2C%22trackerVersion%22%3A%9999.0%22%7D; _spl_pv=5; rr_rcs=eF4Nx7ENwCAMBMCGKru85AdbxhtkDwsdMSRbok8yfXXSlPnjL6NNIwWk2orAmJv-qWzkVL0-N67z2ErgJa7wz11iIEUQF-hxARNA; _st_idb=aG9zZWFwc0BnbWFpbC5jb20=; _gali=zzz_search_1; bm_sv=7BD19B8F91EAD9999EEA9999DD3~BOBxnd9b8ddsymGyYciM91iX3Db5Z+wc40CD/lCEQ6tLIfYmmCfzzSkLmiiDtszKcY0N35IrYl6Et1HGRM2vuwln+Hg7kz/ttutYjgB4v5wbjQU4KXMu3jxv7vQ2WZ9lj5+o8r7Kasdf9999q0f9lT9ol7TxlOsw41DVggSUbkaRynsMPWyq8=
Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
@DmitryFrolovTri DmitryFrolovTri changed the title Get of 5782 bytes of headers with 11 fields over HTTP/2 causes "AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error Get of 5782 bytes of headers with 12 fields over HTTP/2 causes "AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error Jul 7, 2020
@DmitryFrolovTri DmitryFrolovTri changed the title Get of 5782 bytes of headers with 12 fields over HTTP/2 causes "AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error Get with 5782 bytes of request headers with 12 header fields over HTTP/2 causes "AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error Jul 7, 2020
@icing
Copy link
Owner

icing commented Jul 8, 2020

Hi @DmitryFrolovTri ,

I added some log levelling of headers received in current master. If you place that module into your server and set LogLevel http2:trace2 (for testing only, this will write header content to your error log), you can see what clients are actually sending.

I would guess that Firefox is splitting the Cookie header into individual ones to make better use of h2 header compression. Thus many more header lines arrive at h2 than in h1.

@DmitryFrolovTri
Copy link
Author

Hi @icing thank you for your response

I will give it a try and respond.

am I correct that this is the expected behaviour of the firefox:

Cookie: Q1=value
Cookie: Q2=value

instead of

Cookie: Q1=value; Q2=value

However in principle the current implementation of the check is done differently then would be expected by the http://httpd.apache.org/docs/2.4/mod/core.html#LimitRequestFields documentation

LimitRequestFields applies to fields (At least in the doc, not to lines).
Do you think this is something that we could improve on?

The default 100 fields (if treated as fields) is enough almost on any type of request, but if treated as lines could start
throwing errors like in our case.

I feel that having a special LimitRequestLines parameter would be redundant.
So to me the best solution would be to slightly rewrite the logic of checking so that fields are checked as I suppose http/1.1 does.

What is your view?

@icing
Copy link
Owner

icing commented Jul 8, 2020

I think mod_http2 should count the number of unique request header names against LimitRequestFields. This will give more predictable results. So, LimitRequestFieldSize * LimitRequestFields would be the max overall, irregardless of the header formatting.

@DmitryFrolovTri
Copy link
Author

DmitryFrolovTri commented Jul 8, 2020

Hi, @icing you are right here firefox sends each cookie as it's own line and overflows the default 100 value (we observed 431 on Chrome, so I didn't test but I suppose the same is true there as well):

<...skipped...>
[Thu Jul 09 02:50:28.453242 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 5. header, user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
[Thu Jul 09 02:50:28.453255 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 6. header, accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Thu Jul 09 02:50:28.453261 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 7. header, accept-language: en-US,en;q=0.5
[Thu Jul 09 02:50:28.453265 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 8. header, accept-encoding: gzip, deflate, br
[Thu Jul 09 02:50:28.453270 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 9. header, dnt: 1
[Thu Jul 09 02:50:28.453274 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 10. header, cookie: uid=9999
[Thu Jul 09 02:50:28.453278 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 11. header, cookie: zzz_uuid=69fc9999-fa63-9999-8d48-b0e6aa6a62cc
[Thu Jul 09 02:50:28.453284 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 12. header, cookie: _ga=GA1.4.9999.9999
[Thu Jul 09 02:50:28.453288 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 13. header, cookie: blueID=b9999a6-87ab-9999-a9999-aa89cff34bba
[Thu Jul 09 02:50:28.453293 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 14. header, cookie: nav_id=eac9b08f-9999c-42f0-9d19-9a3fe9999ad0
[Thu Jul 09 02:50:28.453298 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 15. header, cookie: legacy_p=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999
[Thu Jul 09 02:50:28.453304 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 16. header, cookie: legacy_c=0-AcMUzsTj3yAI-BQy1kWGD5asdf23HbNfAN1Iu4GIGi9999
[Thu Jul 09 02:50:28.453309 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 17. header, cookie: legacy_s=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999
[Thu Jul 09 02:50:28.453313 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 18. header, cookie: smViewPushOptin=true
[Thu Jul 09 02:50:28.453320 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 19. header, cookie: sm_views=[{"create_date":"9999-04-20 8:44:21","path":"/search","smid":"3-8","kind":"view"},{"create_date":"9999-04-20 8:44:28","path":"/search","smid":"8-18","kind":"view"}]
[Thu Jul 09 02:50:28.453325 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 20. header, cookie: smClosePushOptin=true
[Thu Jul 09 02:50:28.453330 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 21. header, cookie: _gid=GA1.4.9999.9999
[Thu Jul 09 02:50:28.453335 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 22. header, cookie: CACHED_FRONT_FORM_KEY=vjDxzUsdf67MqW5VHrQ87
[Thu Jul 09 02:50:28.453339 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 23. header, cookie: smeventsclear_9999d4c8e8a2f9999ad9999c45=true
[Thu Jul 09 02:50:28.453344 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 24. header, cookie: sback_session=5ea9dec9999d9999fc9999
[Thu Jul 09 02:50:28.453360 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 25. header, cookie: sback_pageview=false
[Thu Jul 09 02:50:28.453366 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 26. header, cookie: _st_ses=9999
[Thu Jul 09 02:50:28.453371 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 27. header, cookie: _sptid=9999
[Thu Jul 09 02:50:28.453376 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 28. header, cookie: _spcid=9999
[Thu Jul 09 02:50:28.453383 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 29. header, cookie: _st_id=bmV3LmV5SjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSklVekkxTmlKOS5leUpsYldGcGJDSTZJbWh2YzJWaGNITkFaMjFoYVd3dVkyOXRJbjAuOTBOdEx2M3VFNndBVUtIY1pNYXp3VEhBekFNMS0taG5BM3Jmc2RCdVJjVS5XcldyRHJpWWlZV3JIZXFCSGVXcnV5
[Thu Jul 09 02:50:28.453391 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 30. header, cookie: _st_cart_script=helper_impulse_meta.js
[Thu Jul 09 02:50:28.453396 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 31. header, cookie: _st_cart_url=/
[Thu Jul 09 02:50:28.453401 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 32. header, cookie: source=l.wp.com|l.wp.com|somesite.domain.com|somesite.domain.com
[Thu Jul 09 02:50:28.453407 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 33. header, cookie: PAGECACHE_FORMKEY=gPuiAgeNm8V7dyo5
[Thu Jul 09 02:50:28.453412 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 34. header, cookie: zzzFlag=ldca2e6c1aaa9999aa2bbc9999ac6f
[Thu Jul 09 02:50:28.453422 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 35. header, cookie: zzzFlag_9999=ldca2e6c1aaa9999aa2bbc9999ac6f
[Thu Jul 09 02:50:28.453429 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 36. header, cookie: zzzSYNC=1
[Thu Jul 09 02:50:28.453434 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 37. header, cookie: _gcl_au=1.1.9999.9999
[Thu Jul 09 02:50:28.453439 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 38. header, cookie: _ga=GA1.3.9999.9999
[Thu Jul 09 02:50:28.453445 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 39. header, cookie: _gid=GA1.3.9999.9999
[Thu Jul 09 02:50:28.453450 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 40. header, cookie: user_unic_ac_id=9999a9999d-3b1d-65a4-9999-84d9999ff9999
[Thu Jul 09 02:50:28.453461 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 41. header, cookie: advcake_trackid=01e9999c-9999-4b08-abf7-9999deefbe6dc
[Thu Jul 09 02:50:28.453469 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 42. header, cookie: UF=MA
[Thu Jul 09 02:50:28.453475 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 43. header, cookie: frontend_cid=0rlCnUwmchScYTT4
[Thu Jul 09 02:50:28.453484 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 44. header, cookie: EXTERNAL_NO_CACHE=1
[Thu Jul 09 02:50:28.453490 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 45. header, cookie: _fbp=fb.2.9999.9999
[Thu Jul 09 02:50:28.453501 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 46. header, cookie: _hjid=f4d9999e-9999d-4f65-a3ca-fbbe9999e
[Thu Jul 09 02:50:28.453509 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 47. header, cookie: _hp2_ses_props.9999=%7B%22r%22%3A%22https%3A%2F%2Fwww.somesite.com%2F%22%2C%22ts%22%3A9999%2C%22d%22%3A%22someothersite.somesite.com%22%2C%22h%22%3A%22%2Fsearch%22%2C%22q%22%3A%22%3Fw%3Dtylenol%22%7D
[Thu Jul 09 02:50:28.453516 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 48. header, cookie: impulsesuite_session=9999-0.9999
[Thu Jul 09 02:50:28.453521 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 49. header, cookie: _cm_ads_activation_retry=false
[Thu Jul 09 02:50:28.453532 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 50. header, cookie: renew_novarnish_show-name-operator=false
[Thu Jul 09 02:50:28.453541 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 51. header, cookie: sback_browser=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999-9999
[Thu Jul 09 02:50:28.453549 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 52. header, cookie: _st_idb=bmV3LmV5SjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSklVekkxTmlKOS5leUpsYldGcGJDSTZJbWh2YzJWaGNITkFaMjFoYVd3dVkyOXRJbjAuOTBOdEx2M3VFNndBVUtIY1pNYXp3VEhBekFNMS0taG5BM3Jmc2RCdVJjVS5XcldyRHJpWWlZV456JIZXFCSGVXcnV5
[Thu Jul 09 02:50:28.453557 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 53. header, cookie: sback_client=56d9999bce62ee9999fd
[Thu Jul 09 02:50:28.453565 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 54. header, cookie: sback_customer=$2wUxQWVid1aPR0aEh2QUdUWHtWQChFRTpVO3hzaIpXOZRXNwVUcttUW0tGeKhUbX1Ue345FVRCJDeOasdfh1MQVUQ6llT2$12
[Thu Jul 09 02:50:28.453578 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 55. header, cookie: sback_access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGkuc2JhY2sudGVjaCIsImlhdCI6MTU4ODE5NDYwNSwiZXhwIjoxNTg4MjgxMDA1LCJhcGkiOiJ2MiIsImRhdGEiOnsiY2xpZW50X2lkIjoiNTZkNDg0Mzk456MjViY2U2MmVlNjczM2ZkIiwiY2xpZW50X2RvbWFpbiI6Im9ub2ZyZS5jb20uYnIiLCJjdXN0b21lcl9pZCI6IjVlOWQ4YWQwZDA5YzlhYmRdfiMjNhNzcxNyIsImN1c3RvbWVyX2Fub9999bW91cyI6ZmFsc2UsImNvbm5lY3Rpb25faWQiOiI1ZTlkOGFkMGQwOWM5YWJkYjIzYTc3MTgiLCJhY2Nlc3NfbGV2ZWwiOiJjdXN0b21lciJ9fQ.QS26xF6Em9VNXyoVecrTnlxRMG37_TdnAWQaEYiS2ic.WrWrDriYiYWrHezRuyqBDr
[Thu Jul 09 02:50:28.453588 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 56. header, cookie: sback_partner=false
[Thu Jul 09 02:50:28.453595 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 57. header, cookie: sback_current_session=1
[Thu Jul 09 02:50:28.453603 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 58. header, cookie: sback_total_sessions=1
[Thu Jul 09 02:50:28.453610 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 59. header, cookie: sb_days=9999
[Thu Jul 09 02:50:28.453622 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 60. header, cookie: sback_customer_w=true
[Thu Jul 09 02:50:28.453630 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 61. header, cookie: sback_refresh_wp=no
[Thu Jul 09 02:50:28.453641 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 62. header, cookie: ak_bmsc=CBC56B9999CBB9999FAC9999DB9999EDA95E9999AD9999~pl6/DZcfA2C+TwqvRDhZ98swyQMkZ3wu8ddfGztNIEtOZU6sBl+NiMRGcVHOHid34hsA54ztmDxAULGNg/Swxe9xJPK+5CyB4eoxVIAlK6s9FT1OdUnP71HOQcrdfXo8MoLWevxor8I/DSq/UDY31dQg+4WlE/t8Un/zYcV24WNEKNrgsh5yLD8vC7bYknLjJx+ILl+dQCh8qIXqHt0VDKtapMU8MmnjU3y8pwLrTX4Bidisw=
[Thu Jul 09 02:50:28.453651 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 63. header, cookie: _st_ses=9999
[Thu Jul 09 02:50:28.453658 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 64. header, cookie: _cm_ads_activation_retry=false
[Thu Jul 09 02:50:28.453665 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 65. header, cookie: _sptid=9999
[Thu Jul 09 02:50:28.453673 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 66. header, cookie: _spcid=9999
[Thu Jul 09 02:50:28.453681 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 67. header, cookie: _st_cart_script=helper_impulse_meta.js
[Thu Jul 09 02:50:28.453689 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 68. header, cookie: _st_cart_url=/
[Thu Jul 09 02:50:28.453697 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 69. header, cookie: sback_browser=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999-9999
[Thu Jul 09 02:50:28.453705 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 70. header, cookie: sback_client=56d9999bce62ee9999fd
[Thu Jul 09 02:50:28.453714 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 71. header, cookie: sback_customer=$2gVxgUVpd1UPJ1aLhmZUFTWitGeasdCdDR5oVM3ZzaupHUZJXNyUkMtFWW2smTK1Wbz1EZ6tWRlJTbOdzMnVkT61kT2$12
[Thu Jul 09 02:50:28.453728 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 72. header, cookie: sback_access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGkuc2JhY2sudGVjaCIsImlhdCI6MTU4ODE5NDY0MywiZXhwIjoxNTg4MjgxMDQzLCJhcGkiOiJ2MiIsImRhdGEiOnsiY2xpZW50X2lkIjoiNTZkNDg0Mzk3MjViY2U2MmVlNjczM2ZkIiwiY2xpZW50X2RvbWFpbiI6Im9ub2ZyZS5jb20uYnIiLCJjdXN0b21lcl9pZCI6IjVlOWQ4YWQwZDA5YzlhYmRiMjNhNzcxNyIsImN1c3RvbWVyX2Fub9999bW91cyI6ZmFsc2UsImNvbm5lY3Rpb25faWQiOiI1ZTlkOGFkMGQwOWM5YWJkYjIzYTc3MTgiLCJhY2Nlc3NfbGV2ZWwiOiJjdXN0b21lciJ9fQ.6uNtTdYcosLpxuhiR5-RSk0K-x_oIn-Aes1WQFI1J6k.WrWrDriYiYWrHezRuyzRKq
[Thu Jul 09 02:50:28.453740 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 73. header, cookie: sback_partner=false
[Thu Jul 09 02:50:28.453748 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 74. header, cookie: sback_current_session=1
[Thu Jul 09 02:50:28.453756 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 75. header, cookie: sback_total_sessions=1
[Thu Jul 09 02:50:28.453769 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 76. header, cookie: sb_days=9999
[Thu Jul 09 02:50:28.453779 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 77. header, cookie: sback_session=5ea9ed9999b9999f9999a6c22
[Thu Jul 09 02:50:28.453789 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 78. header, cookie: sback_pageview=false
[Thu Jul 09 02:50:28.453799 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 79. header, cookie: sback_customer_w=true
[Thu Jul 09 02:50:28.453810 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 80. header, cookie: chaordic_browserId=1a3cf9e8-b87d-43f7-baf0-c1f3b68b8a96
[Thu Jul 09 02:50:28.453819 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 81. header, cookie: sback_refresh_wp=no
[Thu Jul 09 02:50:28.453829 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 82. header, cookie: _spl_pv=84
[Thu Jul 09 02:50:28.453841 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 83. header, cookie: _st_id=aG9zZWFwc0BnbWFpbC5jb20=
[Thu Jul 09 02:50:28.453855 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 84. header, cookie: frontend=afjna0c3v8hnepddhjc1u60o9999
[Thu Jul 09 02:50:28.453866 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 85. header, cookie: persistent_customer_somesite=s%3A32%3A%22xOeasdfpLCN9999cgcy7KJSMGdIrIQgi6mOpi%22%3B
[Thu Jul 09 02:50:28.453881 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 86. header, cookie: persistent_rich_somesite=9999ea9ed9999f07f
[Thu Jul 09 02:50:28.453895 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 87. header, cookie: live_cookie_9999=b%3A0%3B
[Thu Jul 09 02:50:28.453909 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 88. header, cookie: CUSTOMER=f9999d9999e4bc53e8e9999
[Thu Jul 09 02:50:28.453923 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 89. header, cookie: CUSTOMER_INFO=9999d4d9999bdff9999e81d5f1f9999
[Thu Jul 09 02:50:28.453937 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 90. header, cookie: CUSTOMER_AUTH=9999a9999a9999b7fd54f5ea9999c70b
[Thu Jul 09 02:50:28.453956 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 91. header, cookie: CART=1f3ae24c1ba9999c9999a9999e9999b9fc7
[Thu Jul 09 02:50:28.453970 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 92. header, cookie: PAGECACHE_ENV=b9999a9999f2b0a2ffe5fb9999fc25
[Thu Jul 09 02:50:28.453983 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 93. header, cookie: renew_n_user_menu=false
[Thu Jul 09 02:50:28.453997 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 94. header, cookie: renew_n_minicart_head=false
[Thu Jul 09 02:50:28.454016 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 95. header, cookie: renew_n_rrcontent-session=false
[Thu Jul 09 02:50:28.454031 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 96. header, cookie: stc9999=tsa:9999.9999.9999.9999.1:9999|env:1%7C9999%7C9999%7C8%7C9999:9999|uid:9999.9999.9999.9999.9999.:9999|srchist:9999%3A1%3A9999:9999
[Thu Jul 09 02:50:28.454048 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 97. header, cookie: _hp2_id.9999=%7B%22userId%22%3A%9999%22%2C%22pageviewId%22%3A%9999%22%2C%22sessionId%22%3A%9999%22%2C%22identity%22%3Anull%2C%22trackerVersion%22%3A%9999.0%22%7D
[Thu Jul 09 02:50:28.454062 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 98. header, cookie: _spl_pv=5
[Thu Jul 09 02:50:28.454077 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 99. header, cookie: rr_rcs=eF4Nx7ENwCAMBMCGKru85AdbxhtkDwsdMSRbok8yfXXSlPnjL6NNIwWk2orAmJv-qWzkVL0-N67z2ErgJa7wz11iIEUQF-hxARNA
[Thu Jul 09 02:50:28.454090 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 100. header, cookie: _st_idb=aG9zZWFwc0BnbWFpbC5jb20=
[Thu Jul 09 02:50:28.454106 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 101. header, cookie: _gali=zzz_search_1
[Thu Jul 09 02:50:28.454123 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 102. header, cookie: bm_sv=7BD19B8F91EAD9999EEA9999DD3~BOBxnd9b8ddsymGyYciM91iX3Db5Z+wc40CD/lCEQ6tLIfYmmCfzzSkLmiiDtszKcY0N35IrYl6Et1HGRM2vuwln+Hg7kz/ttutYjgB4v5wbjQU4KXMu3jxv7vQ2WZ9lj5+o8r7Kasdf9999q0f9lT9ol7TxlOsw41DVggSUbkaRynsMPWyq8=
[Thu Jul 09 02:50:28.454138 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 103. header, upgrade-insecure-requests: 1
[Thu Jul 09 02:50:28.454144 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 104. header, pragma: no-cache
[Thu Jul 09 02:50:28.454148 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 105. header, cache-control: no-cache
[Thu Jul 09 02:50:28.454152 2020] [http2:trace2] [pid 19236:tid 139660349122304] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(10-15,IDLE): adding 106. header, te: trailers

and this is how curl does it:

<...skipped...>
[Thu Jul 09 02:59:33.825691 2020] [http2:trace2] [pid 19236:tid 139660189660928] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(29-1,IDLE): adding 5. header, user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 CURL
[Thu Jul 09 02:59:33.825705 2020] [http2:trace2] [pid 19236:tid 139660189660928] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(29-1,IDLE): adding 6. header, accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Thu Jul 09 02:59:33.825711 2020] [http2:trace2] [pid 19236:tid 139660189660928] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(29-1,IDLE): adding 7. header, accept-language: en-US,en;q=0.5
[Thu Jul 09 02:59:33.825716 2020] [http2:trace2] [pid 19236:tid 139660189660928] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(29-1,IDLE): adding 8. header, accept-encoding: gzip, deflate, br
[Thu Jul 09 02:59:33.825721 2020] [http2:trace2] [pid 19236:tid 139660189660928] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(29-1,IDLE): adding 9. header, dnt: 1
[Thu Jul 09 02:59:33.825779 2020] [http2:trace2] [pid 19236:tid 139660189660928] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(29-1,IDLE): adding 10. header, cookie: uid=9999; zzz_uuid=69fc9999-fa63-9999-8d48-b0e6aa6a62cc; _ga=GA1.4.9999.9999; blueID=b9999a6-87ab-9999-a9999-aa89cff34bba; nav_id=eac9b08f-9999c-42f0-9d19-9a3fe9999ad0; legacy_p=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999; legacy_c=0-AcMUzsTj3yAI-BQy1kWGD5asdf23HbNfAN1Iu4GIGi9999; legacy_s=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999; smViewPushOptin=true; sm_views=[{"create_date":"9999-04-20 8:44:21","path":"/search","smid":"3-8","kind":"view"},{"create_date":"9999-04-20 8:44:28","path":"/search","smid":"8-18","kind":"view"}]; smClosePushOptin=true; _gid=GA1.4.9999.9999; CACHED_FRONT_FORM_KEY=vjDxzUsdf67MqW5VHrQ87; smeventsclear_9999d4c8e8a2f9999ad9999c45=true; sback_session=5ea9dec9999d9999fc9999; sback_pageview=false; _st_ses=9999; _sptid=9999; _spcid=9999; _st_id=bmV3LmV5SjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSklVekkxTmlKOS5leUpsYldGcGJDSTZJbWh2YzJWaGNITkFaMjFoYVd3dVkyOXRJbjAuOTBOdEx2M3VFNndBVUtIY1pNYXp3VEhBekFNMS0taG5BM3Jmc2RCdVJjVS5XcldyRHJpWWlZV3JIZXFCSGVXcnV5; _st_cart_script=helper_impulse_meta.js; _st_cart_url=/; source=l.wp.com|l.wp.com|somesite.domain.com|somesite.domain.com; PAGECACHE_FORMKEY=gPuiAgeNm8V7dyo5; zzzFlag=ldca2e6c1aaa9999aa2bbc9999ac6f; zzzFlag_9999=ldca2e6c1aaa9999aa2bbc9999ac6f; zzzSYNC=1; _gcl_au=1.1.9999.9999; _ga=GA1.3.9999.9999; _gid=GA1.3.9999.9999; user_unic_ac_id=9999a9999d-3b1d-65a4-9999-84d9999ff9999; advcake_trackid=01e9999c-9999-4b08-abf7-9999deefbe6dc; UF=MA; frontend_cid=0rlCnUwmchScYTT4; EXTERNAL_NO_CACHE=1; _fbp=fb.2.9999.9999; _hjid=f4d9999e-9999d-4f65-a3ca-fbbe9999e; _hp2_ses_props.9999=%7B%22r%22%3A%22https%3A%2F%2Fwww.somesite.com%2F%22%2C%22ts%22%3A9999%2C%22d%22%3A%22someothersite.somesite.com%22%2C%22h%22%3A%22%2Fsearch%22%2C%22q%22%3A%22%3Fw%3Dtylenol%22%7D; impulsesuite_session=9999-0.9999; _cm_ads_activation_retry=false; renew_novarnish_show-name-operator=false; sback_browser=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999-9999; _st_idb=bmV3LmV5SjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSklVekkxTmlKOS5leUpsYldGcGJDSTZJbWh2YzJWaGNITkFaMjFoYVd3dVkyOXRJbjAuOTBOdEx2M3VFNndBVUtIY1pNYXp3VEhBekFNMS0taG5BM3Jmc2RCdVJjVS5XcldyRHJpWWlZV456JIZXFCSGVXcnV5; sback_client=56d9999bce62ee9999fd; sback_customer=$2wUxQWVid1aPR0aEh2QUdUWHtWQChFRTpVO3hzaIpXOZRXNwVUcttUW0tGeKhUbX1Ue345FVRCJDeOasdfh1MQVUQ6llT2$12; sback_access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGkuc2JhY2sudGVjaCIsImlhdCI6MTU4ODE5NDYwNSwiZXhwIjoxNTg4MjgxMDA1LCJhcGkiOiJ2MiIsImRhdGEiOnsiY2xpZW50X2lkIjoiNTZkNDg0Mzk456MjViY2U2MmVlNjczM2ZkIiwiY2xpZW50X2RvbWFpbiI6Im9ub2ZyZS5jb20uYnIiLCJjdXN0b21lcl9pZCI6IjVlOWQ4YWQwZDA5YzlhYmRdfiMjNhNzcxNyIsImN1c3RvbWVyX2Fub9999bW91cyI6ZmFsc2UsImNvbm5lY3Rpb25faWQiOiI1ZTlkOGFkMGQwOWM5YWJkYjIzYTc3MTgiLCJhY2Nlc3NfbGV2ZWwiOiJjdXN0b21lciJ9fQ.QS26xF6Em9VNXyoVecrTnlxRMG37_TdnAWQaEYiS2ic.WrWrDriYiYWrHezRuyqBDr; sback_partner=false; sback_current_session=1; sback_total_sessions=1; sb_days=9999; sback_customer_w=true; sback_refresh_wp=no; ak_bmsc=CBC56B9999CBB9999FAC9999DB9999EDA95E9999AD9999~pl6/DZcfA2C+TwqvRDhZ98swyQMkZ3wu8ddfGztNIEtOZU6sBl+NiMRGcVHOHid34hsA54ztmDxAULGNg/Swxe9xJPK+5CyB4eoxVIAlK6s9FT1OdUnP71HOQcrdfXo8MoLWevxor8I/DSq/UDY31dQg+4WlE/t8Un/zYcV24WNEKNrgsh5yLD8vC7bYknLjJx+ILl+dQCh8qIXqHt0VDKtapMU8MmnjU3y8pwLrTX4Bidisw=; _st_ses=9999; _cm_ads_activation_retry=false; _sptid=9999; _spcid=9999; _st_cart_script=helper_impulse_meta.js; _st_cart_url=/; sback_browser=e9999a9b2-9999-4fcc-a9999-4bb6fe4b9999-9999; sback_client=56d9999bce62ee9999fd; sback_customer=$2gVxgUVpd1UPJ1aLhmZUFTWitGeasdCdDR5oVM3ZzaupHUZJXNyUkMtFWW2smTK1Wbz1EZ6tWRlJTbOdzMnVkT61kT2$12; sback_access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhcGkuc2JhY2sudGVjaCIsImlhdCI6MTU4ODE5NDY0MywiZXhwIjoxNTg4MjgxMDQzLCJhcGkiOiJ2MiIsImRhdGEiOnsiY2xpZW50X2lkIjoiNTZkNDg0Mzk3MjViY2U2MmVlNjczM2ZkIiwiY2xpZW50X2RvbWFpbiI6Im9ub2ZyZS5jb20uYnIiLCJjdXN0b21lcl9pZCI6IjVlOWQ4YWQwZDA5YzlhYmRiMjNhNzcxNyIsImN1c3RvbWVyX2Fub9999bW91cyI6ZmFsc2UsImNvbm5lY3Rpb25faWQiOiI1ZTlkOGFkMGQwOWM5YWJkYjIzYTc3MTgiLCJhY2Nlc3NfbGV2ZWwiOiJjdXN0b21lciJ9fQ.6uNtTdYcosLpxuhiR5-RSk0K-x_oIn-Aes1WQFI1J6k.WrWrDriYiYWrHezRuyzRKq; sback_partner=false; sback_current_session=1; sback_total_sessions=1; sb_days=9999; sback_session=5ea9ed9999b9999f9999a6c22; sback_pageview=false; sback_customer_w=true; chaordic_browserId=1a3cf9e8-b87d-43f7-baf0-c1f3b68b8a96; sback_refresh_wp=no; _spl_pv=84; _st_id=aG9zZWFwc0BnbWFpbC5jb20=; frontend=afjna0c3v8hnepddhjc1u60o9999; persistent_customer_somesite=s%3A32%3A%22xOeasdfpLCN9999cgcy7KJSMGdIrIQgi6mOpi%22%3B; persistent_rich_somesite=9999ea9ed9999f07f; live_cookie_9999=b%3A0%3B; CUSTOMER=f9999d9999e4bc53e8e9999; CUSTOMER_INFO=9999d4d9999bdff9999e81d5f1f9999; CUSTOMER_AUTH=9999a9999a9999b7fd54f5ea9999c70b; CART=1f3ae24c1ba9999c9999a9999e9999b9fc7; PAGECACHE_ENV=b9999a9999f2b0a2ffe5fb9999fc25; renew_n_user_menu=false; renew_n_minicart_head=false; renew_n_rrcontent-session=false; stc9999=tsa:9999.9999.9999.9999.1:9999|env:1%7C9999%7C9999%7C8%7C9999:9999|uid:9999.9999.9999.9999.9999.:9999|srchist:9999%3A1%3A9999:9999; _hp2_id.9999=%7B%22userId%22%3A%9999%22%2C%22pageviewId%22%3A%9999%22%2C%22sessionId%22%3A%9999%22%2C%22identity%22%3Anull%2C%22trackerVersion%22%3A%9999.0%22%7D; _spl_pv=5; rr_rcs=eF4Nx7ENwCAMBMCGKru85AdbxhtkDwsdMSRbok8yfXXSlPnjL6NNIwWk2orAmJv-qWzkVL0-N67z2ErgJa7wz11iIEUQF-hxARNA; _st_idb=aG9zZWFwc0BnbWFpbC5jb20=; _gali=zzz_search_1; bm_sv=7BD19B8F91EAD9999EEA9999DD3~BOBxnd9b8ddsymGyYciM91iX3Db5Z+wc40CD/lCEQ6tLIfYmmCfzzSkLmiiDtszKcY0N35IrYl6Et1HGRM2vuwln+Hg7kz/ttutYjgB4v5wbjQU4KXMu3jxv7vQ2WZ9lj5+o8r7Kasdf9999q0f9lT9ol7TxlOsw41DVggSUbkaRynsMPWyq8=
[Thu Jul 09 02:59:33.825809 2020] [http2:trace2] [pid 19236:tid 139660189660928] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(29-1,IDLE): adding 11. header, cache-control: no-cache
[Thu Jul 09 02:59:33.825815 2020] [http2:trace2] [pid 19236:tid 139660189660928] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(29-1,IDLE): adding 12. header, pragma: no-cache
[Thu Jul 09 02:59:33.825819 2020] [http2:trace2] [pid 19236:tid 139660189660928] h2_stream.c(699): [client X.X.X.X:YYYY] h2_stream(29-1,IDLE): adding 13. header, upgrade-insecure-requests: 1

Do you believe this is something that could be allocated for someone to fix?

@DmitryFrolovTri DmitryFrolovTri changed the title Get with 5782 bytes of request headers with 12 header fields over HTTP/2 causes "AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error Get on Firefox with 5782 bytes of request headers with 12 header fields over HTTP/2 causes "AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error Jul 8, 2020
@DmitryFrolovTri DmitryFrolovTri changed the title Get on Firefox with 5782 bytes of request headers with 12 header fields over HTTP/2 causes "AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error Get with 5782 bytes of request headers with 12 header fields over HTTP/2 causes "AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error Jul 8, 2020
@icing icing closed this as completed in 09f9b6a Jul 8, 2020
@DmitryFrolovTri
Copy link
Author

Hi, @icing!
Thank you very much I tested the new code and it works as expected:

  • HTTP 200 in all the cases on the cookie above
    and
  • HTTP 431 when LimitRequestFields = 9 (there are 13 headers in the request)
    so it works fine.
    I suppose you removed the logging for counting fields :)

@DmitryFrolovTri
Copy link
Author

@icing do you know which Apache release this might go to?

asfgit pushed a commit to apache/httpd that referenced this issue Jul 13, 2020
     Fixes <icing/mod_h2#200>: 
     "LimitRequestFields 0" now disables the limit, as documented.
     Fixes <icing/mod_h2#201>: 
     Do not count repeated headers with same name against the field
     count limit. The are merged internally, as if sent in a single HTTP/1 line.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879832 13f79535-47bb-0310-9956-ffa450edef68
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Aug 9, 2020
Update apache24 to 2.4.46 (Apache HTTPD 2.4.46).  It fixes several
security problems:

CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header
CVE-2020-11984: mod_uwsgi buffer overlow
CVE-2020-11985: CWE-345: Insufficient verification of data authenticity
CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header

pkgsrc changes: reduce warnings by SUBST_* processing.


Changes with Apache 2.4.46
  *) mod_proxy_fcgi: Fix build warnings for Windows platform
     [Eric Covener, Christophe Jaillet]

Changes with Apache 2.4.45

  *) mod_http2: remove support for abandoned http-wg draft
     <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
     [Stefan Eissing]

Changes with Apache 2.4.44

  *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
     protocol limit).  [Yann Ylavic]

  *) mod_http2:
     Fixes <icing/mod_h2#200>:
     "LimitRequestFields 0" now disables the limit, as documented.
     Fixes <icing/mod_h2#201>:
     Do not count repeated headers with same name against the field
     count limit. The are merged internally, as if sent in a single HTTP/1 line.
     [Stefan Eissing]

  *) mod_http2: Avoid segfaults in case of handling certain responses for
     already aborted connections.  [Stefan Eissing, Ruediger Pluem]

  *) mod_http2: The module now handles master/secondary connections and has marked
     methods according to use. [Stefan Eissing]

  *) core: Drop an invalid Last-Modified header value coming
     from a FCGI/CGI script instead of replacing it with Unix epoch.
     [Yann Ylavic, Luca Toscano]

  *) Add support for strict content-length parsing through addition of
     ap_parse_strict_length() [Yann Ylavic]

  *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
     evaluates to false.  PR64365. [Michael König <mail ikoenig.net>]

  *) mod_proxy_http: flush spooled request body in one go to avoid
     leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]

  *) mod_ssl: Fix a race condition and possible crash when using a proxy client
     certificate (SSLProxyMachineCertificateFile).
     [Armin Abfalterer <a.abfalterer gmail.com>]

  *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]

  *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
     PR64330 [Stefan Eissing]

  *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
     was configured with a handshake timeout. Fixes gitub issue #196.
     [Stefan Eissing]

  *) mod_proxy_http2: the "ping" proxy parameter
     (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
     when checking the liveliness of a new or reused h2 connection to the backend.
     With short durations, this makes load-balancing more responsive. The module
     will hold back requests until ping conditions are met, using features of the
     HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]

  *) core: httpd is no longer linked against -lsystemd if mod_systemd
     is enabled (and built as a DSO).  [Rainer Jung]

  *) mod_proxy_http2: respect ProxyTimeout settings on backend connections
     while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
clrpackages pushed a commit to clearlinux-pkgs/httpd that referenced this issue Aug 12, 2020
Changes with Apache 2.4.46
  *) SECURITY: CVE-2020-11984 (cve.mitre.org)
     mod_proxy_uwsgi: Malicious request may result in information disclosure
     or RCE of existing file on the server running under a malicious process
     environment. [Yann Ylavic]

  *) SECURITY: CVE-2020-11993 (cve.mitre.org)
     mod_http2: when throttling connection requests, log statements
     where possibly made that result in concurrent, unsafe use of
     a memory pool. [Stefan Eissing]

  *) SECURITY:
     mod_http2: a specially crafted value for the 'Cache-Digest' header
     request would result in a crash when the server actually tries
     to HTTP/2 PUSH a resource afterwards.
     [Stefan Eissing, Eric Covener, Christophe Jaillet]

  *) mod_proxy_fcgi: Fix build warnings for Windows platform

Changes with Apache 2.4.45

  *) mod_http2: remove support for abandoned http-wg draft
     <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
     [Stefan Eissing]

Changes with Apache 2.4.44

  *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
     protocol limit).  [Yann Ylavic]

  *) mod_http2:
     Fixes <icing/mod_h2#200>:
     "LimitRequestFields 0" now disables the limit, as documented.
     Fixes <icing/mod_h2#201>:
     Do not count repeated headers with same name against the field
     count limit. The are merged internally, as if sent in a single HTTP/1 line.
     [Stefan Eissing]

  *) mod_http2: Avoid segfaults in case of handling certain responses for
     already aborted connections.  [Stefan Eissing, Ruediger Pluem]

  *) mod_http2: The module now handles master/secondary connections and has marked
     methods according to use. [Stefan Eissing]

  *) core: Drop an invalid Last-Modified header value coming
     from a FCGI/CGI script instead of replacing it with Unix epoch.
     [Yann Ylavic, Luca Toscano]

  *) Add support for strict content-length parsing through addition of
     ap_parse_strict_length() [Yann Ylavic]

  *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
     evaluates to false.  PR64365. [Michael König <mail ikoenig.net>]

  *) mod_proxy_http: flush spooled request body in one go to avoid
     leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]

  *) mod_ssl: Fix a race condition and possible crash when using a proxy client
     certificate (SSLProxyMachineCertificateFile).
     [Armin Abfalterer <a.abfalterer gmail.com>]

  *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]

  *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
     PR64330 [Stefan Eissing]

  *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
     was configured with a handshake timeout. Fixes gitub issue #196.
     [Stefan Eissing]

  *) mod_proxy_http2: the "ping" proxy parameter
     (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
     when checking the liveliness of a new or reused h2 connection to the backend.
     With short durations, this makes load-balancing more responsive. The module
     will hold back requests until ping conditions are met, using features of the
     HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]

  *) core: httpd is no longer linked against -lsystemd if mod_systemd
     is enabled (and built as a DSO).  [Rainer Jung]

  *) mod_proxy_http2: respect ProxyTimeout settings on backend connections
     while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]

Signed-off-by: Patrick McCarty <[email protected]>
laffer1 added a commit to MidnightBSD/mports that referenced this issue Aug 16, 2020
Changes with Apache 2.4.46
  *) SECURITY: CVE-2020-11984 (cve.mitre.org)
     mod_proxy_uwsgi: Malicious request may result in information disclosure
     or RCE of existing file on the server running under a malicious process
     environment. [Yann Ylavic]

  *) SECURITY: CVE-2020-11993 (cve.mitre.org)
     mod_http2: when throttling connection requests, log statements
     where possibly made that result in concurrent, unsafe use of
     a memory pool. [Stefan Eissing]

  *) SECURITY:
     mod_http2: a specially crafted value for the 'Cache-Digest' header
     request would result in a crash when the server actually tries
     to HTTP/2 PUSH a resource afterwards.
     [Stefen Eissing, Eric Covener, Christophe Jaillet]

  *) mod_proxy_fcgi: Fix build warnings for Windows platform

Changes with Apache 2.4.45

  *) mod_http2: remove support for abandoned http-wg draft
     <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
     [Stefan Eissing]

Changes with Apache 2.4.44

  *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
     protocol limit).  [Yann Ylavic]

  *) mod_http2:
     Fixes <icing/mod_h2#200>:
     "LimitRequestFields 0" now disables the limit, as documented.
     Fixes <icing/mod_h2#201>:
     Do not count repeated headers with same name against the field
     count limit. The are merged internally, as if sent in a single HTTP/1 line.
     [Stefan Eissing]

  *) mod_http2: Avoid segfaults in case of handling certain responses for
     already aborted connections.  [Stefan Eissing, Ruediger Pluem]

  *) mod_http2: The module now handles master/secondary connections and has marked
     methods according to use. [Stefan Eissing]

  *) core: Drop an invalid Last-Modified header value coming
     from a FCGI/CGI script instead of replacing it with Unix epoch.
     [Yann Ylavic, Luca Toscano]

  *) Add support for strict content-length parsing through addition of
     ap_parse_strict_length() [Yann Ylavic]

  *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
     evaluates to false.  PR64365. [Michael König <mail ikoenig.net>]

  *) mod_proxy_http: flush spooled request body in one go to avoid
     leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]

  *) mod_ssl: Fix a race condition and possible crash when using a proxy client
     certificate (SSLProxyMachineCertificateFile).
     [Armin Abfalterer <a.abfalterer gmail.com>]

  *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]

  *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
     PR64330 [Stefan Eissing]

  *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
     was configured with a handshake timeout. Fixes gitub issue #196.
     [Stefan Eissing]

  *) mod_proxy_http2: the "ping" proxy parameter
     (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
     when checking the liveliness of a new or reused h2 connection to the backend.
     With short durations, this makes load-balancing more responsive. The module
     will hold back requests until ping conditions are met, using features of the
     HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]

  *) core: httpd is no longer linked against -lsystemd if mod_systemd
     is enabled (and built as a DSO).  [Rainer Jung]

  *) mod_proxy_http2: respect ProxyTimeout settings on backend connections
     while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Aug 23, 2020
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.94
- www/apache24/distinfo                                         1.44

---
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Sun Aug  9 15:01:55 UTC 2020

   Modified Files:
           pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   www/apache24: update to 2.4.46

   Update apache24 to 2.4.46 (Apache HTTPD 2.4.46).  It fixes several
   security problems:

   CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header
   CVE-2020-11984: mod_uwsgi buffer overlow
   CVE-2020-11985: CWE-345: Insufficient verification of data authenticity
   CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header

   pkgsrc changes: reduce warnings by SUBST_* processing.

   Changes with Apache 2.4.46
     *) mod_proxy_fcgi: Fix build warnings for Windows platform
        [Eric Covener, Christophe Jaillet]

   Changes with Apache 2.4.45

     *) mod_http2: remove support for abandoned http-wg draft
        <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
        [Stefan Eissing]

   Changes with Apache 2.4.44

     *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
        protocol limit).  [Yann Ylavic]

     *) mod_http2:
        Fixes <icing/mod_h2#200>:
        "LimitRequestFields 0" now disables the limit, as documented.
        Fixes <icing/mod_h2#201>:
        Do not count repeated headers with same name against the field
        count limit. The are merged internally, as if sent in a single HTTP/1 line.
        [Stefan Eissing]

     *) mod_http2: Avoid segfaults in case of handling certain responses for
        already aborted connections.  [Stefan Eissing, Ruediger Pluem]

     *) mod_http2: The module now handles master/secondary connections and has marked
        methods according to use. [Stefan Eissing]

     *) core: Drop an invalid Last-Modified header value coming
        from a FCGI/CGI script instead of replacing it with Unix epoch.
        [Yann Ylavic, Luca Toscano]

     *) Add support for strict content-length parsing through addition of
        ap_parse_strict_length() [Yann Ylavic]

     *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
        evaluates to false.  PR64365. [Michael König <mail ikoenig.net>]

     *) mod_proxy_http: flush spooled request body in one go to avoid
        leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]

     *) mod_ssl: Fix a race condition and possible crash when using a proxy client
        certificate (SSLProxyMachineCertificateFile).
        [Armin Abfalterer <a.abfalterer gmail.com>]

     *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]

     *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
        PR64330 [Stefan Eissing]

     *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
        was configured with a handshake timeout. Fixes gitub issue #196.
        [Stefan Eissing]

     *) mod_proxy_http2: the "ping" proxy parameter
        (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
        when checking the liveliness of a new or reused h2 connection to the backend.
        With short durations, this makes load-balancing more responsive. The module
        will hold back requests until ping conditions are met, using features of the
        HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]

     *) core: httpd is no longer linked against -lsystemd if mod_systemd
        is enabled (and built as a DSO).  [Rainer Jung]

     *) mod_proxy_http2: respect ProxyTimeout settings on backend connections
        while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Oct 14, 2021
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.94
- www/apache24/distinfo                                         1.44

---
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Sun Aug  9 15:01:55 UTC 2020

   Modified Files:
           pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   www/apache24: update to 2.4.46

   Update apache24 to 2.4.46 (Apache HTTPD 2.4.46).  It fixes several
   security problems:

   CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header
   CVE-2020-11984: mod_uwsgi buffer overlow
   CVE-2020-11985: CWE-345: Insufficient verification of data authenticity
   CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header

   pkgsrc changes: reduce warnings by SUBST_* processing.

   Changes with Apache 2.4.46
     *) mod_proxy_fcgi: Fix build warnings for Windows platform
        [Eric Covener, Christophe Jaillet]

   Changes with Apache 2.4.45

     *) mod_http2: remove support for abandoned http-wg draft
        <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
        [Stefan Eissing]

   Changes with Apache 2.4.44

     *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
        protocol limit).  [Yann Ylavic]

     *) mod_http2:
        Fixes <icing/mod_h2#200>:
        "LimitRequestFields 0" now disables the limit, as documented.
        Fixes <icing/mod_h2#201>:
        Do not count repeated headers with same name against the field
        count limit. The are merged internally, as if sent in a single HTTP/1 line.
        [Stefan Eissing]

     *) mod_http2: Avoid segfaults in case of handling certain responses for
        already aborted connections.  [Stefan Eissing, Ruediger Pluem]

     *) mod_http2: The module now handles master/secondary connections and has marked
        methods according to use. [Stefan Eissing]

     *) core: Drop an invalid Last-Modified header value coming
        from a FCGI/CGI script instead of replacing it with Unix epoch.
        [Yann Ylavic, Luca Toscano]

     *) Add support for strict content-length parsing through addition of
        ap_parse_strict_length() [Yann Ylavic]

     *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
        evaluates to false.  PR64365. [Michael König <mail ikoenig.net>]

     *) mod_proxy_http: flush spooled request body in one go to avoid
        leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]

     *) mod_ssl: Fix a race condition and possible crash when using a proxy client
        certificate (SSLProxyMachineCertificateFile).
        [Armin Abfalterer <a.abfalterer gmail.com>]

     *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]

     *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
        PR64330 [Stefan Eissing]

     *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
        was configured with a handshake timeout. Fixes gitub issue #196.
        [Stefan Eissing]

     *) mod_proxy_http2: the "ping" proxy parameter
        (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
        when checking the liveliness of a new or reused h2 connection to the backend.
        With short durations, this makes load-balancing more responsive. The module
        will hold back requests until ping conditions are met, using features of the
        HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]

     *) core: httpd is no longer linked against -lsystemd if mod_systemd
        is enabled (and built as a DSO).  [Rainer Jung]

     *) mod_proxy_http2: respect ProxyTimeout settings on backend connections
        while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Dec 10, 2024
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.94
- www/apache24/distinfo                                         1.44

---
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Sun Aug  9 15:01:55 UTC 2020

   Modified Files:
           pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   www/apache24: update to 2.4.46

   Update apache24 to 2.4.46 (Apache HTTPD 2.4.46).  It fixes several
   security problems:

   CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header
   CVE-2020-11984: mod_uwsgi buffer overlow
   CVE-2020-11985: CWE-345: Insufficient verification of data authenticity
   CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header

   pkgsrc changes: reduce warnings by SUBST_* processing.

   Changes with Apache 2.4.46
     *) mod_proxy_fcgi: Fix build warnings for Windows platform
        [Eric Covener, Christophe Jaillet]

   Changes with Apache 2.4.45

     *) mod_http2: remove support for abandoned http-wg draft
        <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
        [Stefan Eissing]

   Changes with Apache 2.4.44

     *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
        protocol limit).  [Yann Ylavic]

     *) mod_http2:
        Fixes <icing/mod_h2#200>:
        "LimitRequestFields 0" now disables the limit, as documented.
        Fixes <icing/mod_h2#201>:
        Do not count repeated headers with same name against the field
        count limit. The are merged internally, as if sent in a single HTTP/1 line.
        [Stefan Eissing]

     *) mod_http2: Avoid segfaults in case of handling certain responses for
        already aborted connections.  [Stefan Eissing, Ruediger Pluem]

     *) mod_http2: The module now handles master/secondary connections and has marked
        methods according to use. [Stefan Eissing]

     *) core: Drop an invalid Last-Modified header value coming
        from a FCGI/CGI script instead of replacing it with Unix epoch.
        [Yann Ylavic, Luca Toscano]

     *) Add support for strict content-length parsing through addition of
        ap_parse_strict_length() [Yann Ylavic]

     *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
        evaluates to false.  PR64365. [Michael König <mail ikoenig.net>]

     *) mod_proxy_http: flush spooled request body in one go to avoid
        leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]

     *) mod_ssl: Fix a race condition and possible crash when using a proxy client
        certificate (SSLProxyMachineCertificateFile).
        [Armin Abfalterer <a.abfalterer gmail.com>]

     *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]

     *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
        PR64330 [Stefan Eissing]

     *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
        was configured with a handshake timeout. Fixes gitub issue #196.
        [Stefan Eissing]

     *) mod_proxy_http2: the "ping" proxy parameter
        (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
        when checking the liveliness of a new or reused h2 connection to the backend.
        With short durations, this makes load-balancing more responsive. The module
        will hold back requests until ping conditions are met, using features of the
        HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]

     *) core: httpd is no longer linked against -lsystemd if mod_systemd
        is enabled (and built as a DSO).  [Rainer Jung]

     *) mod_proxy_http2: respect ProxyTimeout settings on backend connections
        while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants