Get with 5782 bytes of request headers with 12 header fields over HTTP/2 causes "AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error #201
Comments
DmitryFrolovTri
changed the title
DmitryFrolovTri
changed the title
|
Hi @DmitryFrolovTri , I added some log levelling of headers received in current master. If you place that module into your server and set I would guess that Firefox is splitting the |
|
Hi @icing thank you for your response I will give it a try and respond. am I correct that this is the expected behaviour of the firefox: instead of However in principle the current implementation of the check is done differently then would be expected by the http://httpd.apache.org/docs/2.4/mod/core.html#LimitRequestFields documentation LimitRequestFields applies to fields (At least in the doc, not to lines). The default 100 fields (if treated as fields) is enough almost on any type of request, but if treated as lines could start I feel that having a special LimitRequestLines parameter would be redundant. What is your view? |
|
I think mod_http2 should count the number of unique request header names against LimitRequestFields. This will give more predictable results. So, LimitRequestFieldSize * LimitRequestFields would be the max overall, irregardless of the header formatting. |
|
Hi, @icing you are right here firefox sends each cookie as it's own line and overflows the default 100 value (we observed 431 on Chrome, so I didn't test but I suppose the same is true there as well): and this is how curl does it: Do you believe this is something that could be allocated for someone to fix? |
DmitryFrolovTri
changed the title
DmitryFrolovTri
changed the title
|
Hi, @icing!
|
|
@icing do you know which Apache release this might go to? |
asfgit
pushed a commit
to apache/httpd
that referenced
this issue
Jul 13, 2020
Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879832 13f79535-47bb-0310-9956-ffa450edef68
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Aug 9, 2020
Update apache24 to 2.4.46 (Apache HTTPD 2.4.46). It fixes several security problems: CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header CVE-2020-11984: mod_uwsgi buffer overlow CVE-2020-11985: CWE-345: Insufficient verification of data authenticity CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header pkgsrc changes: reduce warnings by SUBST_* processing. Changes with Apache 2.4.46 *) mod_proxy_fcgi: Fix build warnings for Windows platform [Eric Covener, Christophe Jaillet] Changes with Apache 2.4.45 *) mod_http2: remove support for abandoned http-wg draft <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. [Stefan Eissing] Changes with Apache 2.4.44 *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard protocol limit). [Yann Ylavic] *) mod_http2: Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. [Stefan Eissing] *) mod_http2: Avoid segfaults in case of handling certain responses for already aborted connections. [Stefan Eissing, Ruediger Pluem] *) mod_http2: The module now handles master/secondary connections and has marked methods according to use. [Stefan Eissing] *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression evaluates to false. PR64365. [Michael König <mail ikoenig.net>] *) mod_proxy_http: flush spooled request body in one go to avoid leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] *) mod_ssl: Fix a race condition and possible crash when using a proxy client certificate (SSLProxyMachineCertificateFile). [Armin Abfalterer <a.abfalterer gmail.com>] *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing] *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG. PR64330 [Stefan Eissing] *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout was configured with a handshake timeout. Fixes gitub issue #196. [Stefan Eissing] *) mod_proxy_http2: the "ping" proxy parameter (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] *) core: httpd is no longer linked against -lsystemd if mod_systemd is enabled (and built as a DSO). [Rainer Jung] *) mod_proxy_http2: respect ProxyTimeout settings on backend connections while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
clrpackages
pushed a commit
to clearlinux-pkgs/httpd
that referenced
this issue
Aug 12, 2020
Changes with Apache 2.4.46 *) SECURITY: CVE-2020-11984 (cve.mitre.org) mod_proxy_uwsgi: Malicious request may result in information disclosure or RCE of existing file on the server running under a malicious process environment. [Yann Ylavic] *) SECURITY: CVE-2020-11993 (cve.mitre.org) mod_http2: when throttling connection requests, log statements where possibly made that result in concurrent, unsafe use of a memory pool. [Stefan Eissing] *) SECURITY: mod_http2: a specially crafted value for the 'Cache-Digest' header request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. [Stefan Eissing, Eric Covener, Christophe Jaillet] *) mod_proxy_fcgi: Fix build warnings for Windows platform Changes with Apache 2.4.45 *) mod_http2: remove support for abandoned http-wg draft <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. [Stefan Eissing] Changes with Apache 2.4.44 *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard protocol limit). [Yann Ylavic] *) mod_http2: Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. [Stefan Eissing] *) mod_http2: Avoid segfaults in case of handling certain responses for already aborted connections. [Stefan Eissing, Ruediger Pluem] *) mod_http2: The module now handles master/secondary connections and has marked methods according to use. [Stefan Eissing] *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression evaluates to false. PR64365. [Michael König <mail ikoenig.net>] *) mod_proxy_http: flush spooled request body in one go to avoid leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] *) mod_ssl: Fix a race condition and possible crash when using a proxy client certificate (SSLProxyMachineCertificateFile). [Armin Abfalterer <a.abfalterer gmail.com>] *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing] *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG. PR64330 [Stefan Eissing] *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout was configured with a handshake timeout. Fixes gitub issue #196. [Stefan Eissing] *) mod_proxy_http2: the "ping" proxy parameter (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] *) core: httpd is no longer linked against -lsystemd if mod_systemd is enabled (and built as a DSO). [Rainer Jung] *) mod_proxy_http2: respect ProxyTimeout settings on backend connections while waiting on incoming data. [Ruediger Pluem, Stefan Eissing] Signed-off-by: Patrick McCarty <patrick.mccarty@intel.com>
laffer1
added a commit
to MidnightBSD/mports
that referenced
this issue
Aug 16, 2020
Changes with Apache 2.4.46 *) SECURITY: CVE-2020-11984 (cve.mitre.org) mod_proxy_uwsgi: Malicious request may result in information disclosure or RCE of existing file on the server running under a malicious process environment. [Yann Ylavic] *) SECURITY: CVE-2020-11993 (cve.mitre.org) mod_http2: when throttling connection requests, log statements where possibly made that result in concurrent, unsafe use of a memory pool. [Stefan Eissing] *) SECURITY: mod_http2: a specially crafted value for the 'Cache-Digest' header request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. [Stefen Eissing, Eric Covener, Christophe Jaillet] *) mod_proxy_fcgi: Fix build warnings for Windows platform Changes with Apache 2.4.45 *) mod_http2: remove support for abandoned http-wg draft <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>. [Stefan Eissing] Changes with Apache 2.4.44 *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard protocol limit). [Yann Ylavic] *) mod_http2: Fixes <icing/mod_h2#200>: "LimitRequestFields 0" now disables the limit, as documented. Fixes <icing/mod_h2#201>: Do not count repeated headers with same name against the field count limit. The are merged internally, as if sent in a single HTTP/1 line. [Stefan Eissing] *) mod_http2: Avoid segfaults in case of handling certain responses for already aborted connections. [Stefan Eissing, Ruediger Pluem] *) mod_http2: The module now handles master/secondary connections and has marked methods according to use. [Stefan Eissing] *) core: Drop an invalid Last-Modified header value coming from a FCGI/CGI script instead of replacing it with Unix epoch. [Yann Ylavic, Luca Toscano] *) Add support for strict content-length parsing through addition of ap_parse_strict_length() [Yann Ylavic] *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression evaluates to false. PR64365. [Michael König <mail ikoenig.net>] *) mod_proxy_http: flush spooled request body in one go to avoid leaking (or long lived) temporary file. PR 64452. [Yann Ylavic] *) mod_ssl: Fix a race condition and possible crash when using a proxy client certificate (SSLProxyMachineCertificateFile). [Armin Abfalterer <a.abfalterer gmail.com>] *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing] *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG. PR64330 [Stefan Eissing] *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout was configured with a handshake timeout. Fixes gitub issue #196. [Stefan Eissing] *) mod_proxy_http2: the "ping" proxy parameter (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used when checking the liveliness of a new or reused h2 connection to the backend. With short durations, this makes load-balancing more responsive. The module will hold back requests until ping conditions are met, using features of the HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing] *) core: httpd is no longer linked against -lsystemd if mod_systemd is enabled (and built as a DSO). [Rainer Jung] *) mod_proxy_http2: respect ProxyTimeout settings on backend connections while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Aug 23, 2020
www/apache24: security fix
Revisions pulled up:
- www/apache24/Makefile 1.94
- www/apache24/distinfo 1.44
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 9 15:01:55 UTC 2020
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
Log Message:
www/apache24: update to 2.4.46
Update apache24 to 2.4.46 (Apache HTTPD 2.4.46). It fixes several
security problems:
CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header
CVE-2020-11984: mod_uwsgi buffer overlow
CVE-2020-11985: CWE-345: Insufficient verification of data authenticity
CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header
pkgsrc changes: reduce warnings by SUBST_* processing.
Changes with Apache 2.4.46
*) mod_proxy_fcgi: Fix build warnings for Windows platform
[Eric Covener, Christophe Jaillet]
Changes with Apache 2.4.45
*) mod_http2: remove support for abandoned http-wg draft
<https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
[Stefan Eissing]
Changes with Apache 2.4.44
*) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
protocol limit). [Yann Ylavic]
*) mod_http2:
Fixes <icing/mod_h2#200>:
"LimitRequestFields 0" now disables the limit, as documented.
Fixes <icing/mod_h2#201>:
Do not count repeated headers with same name against the field
count limit. The are merged internally, as if sent in a single HTTP/1 line.
[Stefan Eissing]
*) mod_http2: Avoid segfaults in case of handling certain responses for
already aborted connections. [Stefan Eissing, Ruediger Pluem]
*) mod_http2: The module now handles master/secondary connections and has marked
methods according to use. [Stefan Eissing]
*) core: Drop an invalid Last-Modified header value coming
from a FCGI/CGI script instead of replacing it with Unix epoch.
[Yann Ylavic, Luca Toscano]
*) Add support for strict content-length parsing through addition of
ap_parse_strict_length() [Yann Ylavic]
*) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
evaluates to false. PR64365. [Michael König <mail ikoenig.net>]
*) mod_proxy_http: flush spooled request body in one go to avoid
leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
*) mod_ssl: Fix a race condition and possible crash when using a proxy client
certificate (SSLProxyMachineCertificateFile).
[Armin Abfalterer <a.abfalterer gmail.com>]
*) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]
*) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
PR64330 [Stefan Eissing]
*) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
was configured with a handshake timeout. Fixes gitub issue #196.
[Stefan Eissing]
*) mod_proxy_http2: the "ping" proxy parameter
(see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
when checking the liveliness of a new or reused h2 connection to the backend.
With short durations, this makes load-balancing more responsive. The module
will hold back requests until ping conditions are met, using features of the
HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
*) core: httpd is no longer linked against -lsystemd if mod_systemd
is enabled (and built as a DSO). [Rainer Jung]
*) mod_proxy_http2: respect ProxyTimeout settings on backend connections
while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Oct 14, 2021
www/apache24: security fix
Revisions pulled up:
- www/apache24/Makefile 1.94
- www/apache24/distinfo 1.44
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 9 15:01:55 UTC 2020
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
Log Message:
www/apache24: update to 2.4.46
Update apache24 to 2.4.46 (Apache HTTPD 2.4.46). It fixes several
security problems:
CVE-2020-9490: Push Diary Crash on Specifically Crafted HTTP/2 Header
CVE-2020-11984: mod_uwsgi buffer overlow
CVE-2020-11985: CWE-345: Insufficient verification of data authenticity
CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header
pkgsrc changes: reduce warnings by SUBST_* processing.
Changes with Apache 2.4.46
*) mod_proxy_fcgi: Fix build warnings for Windows platform
[Eric Covener, Christophe Jaillet]
Changes with Apache 2.4.45
*) mod_http2: remove support for abandoned http-wg draft
<https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
[Stefan Eissing]
Changes with Apache 2.4.44
*) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
protocol limit). [Yann Ylavic]
*) mod_http2:
Fixes <icing/mod_h2#200>:
"LimitRequestFields 0" now disables the limit, as documented.
Fixes <icing/mod_h2#201>:
Do not count repeated headers with same name against the field
count limit. The are merged internally, as if sent in a single HTTP/1 line.
[Stefan Eissing]
*) mod_http2: Avoid segfaults in case of handling certain responses for
already aborted connections. [Stefan Eissing, Ruediger Pluem]
*) mod_http2: The module now handles master/secondary connections and has marked
methods according to use. [Stefan Eissing]
*) core: Drop an invalid Last-Modified header value coming
from a FCGI/CGI script instead of replacing it with Unix epoch.
[Yann Ylavic, Luca Toscano]
*) Add support for strict content-length parsing through addition of
ap_parse_strict_length() [Yann Ylavic]
*) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
evaluates to false. PR64365. [Michael König <mail ikoenig.net>]
*) mod_proxy_http: flush spooled request body in one go to avoid
leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
*) mod_ssl: Fix a race condition and possible crash when using a proxy client
certificate (SSLProxyMachineCertificateFile).
[Armin Abfalterer <a.abfalterer gmail.com>]
*) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]
*) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
PR64330 [Stefan Eissing]
*) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
was configured with a handshake timeout. Fixes gitub issue #196.
[Stefan Eissing]
*) mod_proxy_http2: the "ping" proxy parameter
(see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
when checking the liveliness of a new or reused h2 connection to the backend.
With short durations, this makes load-balancing more responsive. The module
will hold back requests until ping conditions are met, using features of the
HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
*) core: httpd is no longer linked against -lsystemd if mod_systemd
is enabled (and built as a DSO). [Rainer Jung]
*) mod_proxy_http2: respect ProxyTimeout settings on backend connections
while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
with apache setting of LimitRequestFields = 100 (default) on HTTP/2 processing a get request with 12 header fields and 5782 bytes causes AH10181: h2_stream(73-15,IDLE): Number of request headers exceeds LimitRequestFields" error triggered by this code
mod_h2/mod_http2/h2_stream.c
Line 719 in 02239fc
oh and apache versions where the issue is happening is 2.4.43:
Browser is Firefox/68.0, also was reproduced in later versions of it.
Please could you review the code that calculates the number of headers as it clearly calculates more of them in our case then we really have. Screenshot how it looks in firefox:
P.S. downgrading to HTTP/1.1 via "Protocols http/1.1" fixes the issue, staying on "Protocols h2" and setting LimitRequestFields to 103 allows the request to succeed with 200. The below is the raw headers of the request (GET / HTTP/2) I sent from firefox, host modified
The text was updated successfully, but these errors were encountered: