ports/142795: mod_fcgid broken large form uploads

Wed Jan 13 21:30:02 UTC 2010

>Number:         142795
>Category:       ports
>Synopsis:       mod_fcgid broken large form uploads
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 13 21:30:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Sergey Prikhodko
>Release:        7.2-RELEASE-p47.2-RELEASE-p4
>Organization:
Network-ASP
>Environment:
FreeBSD xeon.office.network-asp.biz 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Fri Oct  2 12:21:39 UTC 2009     root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
from http://svn.apache.org/viewvc?view=revision&revision=826829:

Fix possible corruption or truncation of request bodies which exceed
FcgidMaxRequestInMem.  

If the entire excess had been read from the brigade at the time the
limit was exceeded, the bug would be avoided.

This is a regression since mod_fcgid 2.2, which effectively ignored 
FcgidMaxRequestInMem if larger than 8K, since it reset the cumulative
request_len counter each time it obtained an input brigade of up to
HUGE_STRING_LEN bytes.

>How-To-Repeat:
try upload large file (>64kb)
>Fix:
http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bridge.c?r1=826829&r2=826828&pathrev=826829&view=patch

see attached patch

Patch attached with submission follows:

diff -ruN mod_fcgid.orig/files/patch-modules-fcgid-fcgid_bridge.c mod_fcgid/files/patch-modules-fcgid-fcgid_bridge.c

--- mod_fcgid.orig/files/patch-modules-fcgid-fcgid_bridge.c	1970-01-01 03:00:00.000000000 +0300
+++ mod_fcgid/files/patch-modules-fcgid-fcgid_bridge.c	2010-01-13 23:16:36.000000000 +0200
@@ -0,0 +1,39 @@
+--- ./modules/fcgid/fcgid_bridge.c.orig	2009-10-07 14:37:11.000000000 +0300
++++ ./modules/fcgid/fcgid_bridge.c	2010-01-13 23:15:11.000000000 +0200
+@@ -448,7 +448,6 @@
+     int seen_eos;
+     apr_off_t request_size = 0;
+     apr_file_t *fd = NULL;
+-    int need_truncate = 1;
+     apr_off_t cur_pos = 0;
+     FCGI_Header *stdin_request_header;
+     apr_bucket_brigade *output_brigade;
+@@ -548,6 +547,15 @@
+                     apr_pool_userdata_get(&tmp, fd_key,
+                                           r->connection->pool);
+                     fd = tmp;
++
++                    if (fd != NULL) {
++                        if ((rv = apr_file_trunc(fd, 0)) != APR_SUCCESS) {
++                            ap_log_rerror(APLOG_MARK, APLOG_WARNING, rv, r,
++                                          "mod_fcgid: can't truncate existing "
++                                          "temporary file");
++                            return HTTP_INTERNAL_SERVER_ERROR;
++                        }
++                    }
+                 }
+ 
+                 if (fd == NULL) {
+@@ -574,11 +582,8 @@
+                     apr_pool_userdata_set((const void *) fd, fd_key,
+                                           apr_pool_cleanup_null,
+                                           r->connection->pool);
+-                } else if (need_truncate) {
+-                    need_truncate = 0;
+-                    apr_file_trunc(fd, 0);
+-                    cur_pos = 0;
+                 }
++
+                 // Write request to tmp file
+                 if ((rv =
+                      apr_file_write_full(fd, (const void *) data, len,


>Release-Note:
>Audit-Trail:
>Unformatted:

