Thread: [mod-security-users] sec_filter_out: Invalid Content-Length: 0
Brought to you by:
victorhora,
zimmerletw
From: Philippe B. <pbo...@ci...> - 2005-09-27 09:40:03
|
Hi folks, On a reverse proxy I've setup, I'm getting tons (like 10/sec) of : mod_security: sec_filter_out: Invalid Content-Length: 0 ...errors in my logs. Here is the only interesting parts in my=20 configuration that cause is causing these messages : SecFilterScanOutput On (yes, I scan output for ADODB errors (for= example)...) Here is the kind of headers that cause this : HTTP/1.0 302 Moved Temporarily Server: Microsoft-IIS/5.0 [...] Location: http://blah/expired.htm Content-Length: 0 [...] Connection: close OK... but also, a bit more strange (this is the=20 output of a GET /image/thing.gif) : (yes, there are 2 answers at the same time and the image is displayed) HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Tue, 27 Sep 2005 09:15:47 GMT Content-Type: image/gif Accept-Ranges: bytes Last-Modified: Sun, 27 Mar 2005 00:01:15 GMT ETag: "d0cf6f186c32c51:905" Content-Length: 76 GIF89 [ gif_content... ]=C7=F2L=D7=B6\;HTTP/1.1 400 Bad Request Server: Microsoft-IIS/5.0 Date: Tue, 27 Sep 2005 09:15:47 GMT Content-Type: text/html Content-Length: 80 <html><head><title>Error</title></head><body>Incorrect=20 Parameter. </body></html> Why does it say "content-length: 0" while none of=20 these content-length are equal to 0. Is there a way to disable this warning other than by modifying the code ? Sincerely, Philippe Bourcier |
From: Ivan R. <iv...@we...> - 2005-09-27 10:09:53
|
Philippe Bourcier wrote: > > Hi folks, > > On a reverse proxy I've setup, I'm getting tons (like 10/sec) of : > mod_security: sec_filter_out: Invalid Content-Length: 0 > ...errors in my logs. > > ... > > OK... but also, a bit more strange (this is the output of a GET > /image/thing.gif) : > (yes, there are 2 answers at the same time and the image is displayed) > > HTTP/1.1 200 OK > Server: Microsoft-IIS/5.0 > Date: Tue, 27 Sep 2005 09:15:47 GMT > Content-Type: image/gif > Accept-Ranges: bytes > Last-Modified: Sun, 27 Mar 2005 00:01:15 GMT > ETag: "d0cf6f186c32c51:905" > Content-Length: 76 > > GIF89 [ gif_content... ]ÇòL׶\;HTTP/1.1 400 Bad Request > Server: Microsoft-IIS/5.0 > Date: Tue, 27 Sep 2005 09:15:47 GMT > Content-Type: text/html > Content-Length: 80 This looks like the bug I just fixed a few days ago. In fact, I am still waiting for the confirmation on that one. I can include the fix for this in the version I wrap for you to test and you'll let me know. But, mod_security should look at the bodies of GIF images, shouldn't it? Are you using SecFilterOutputMimeTypes to restrict output filtering by MIME type? > Why does it say "content-length: 0" while none of these content-length > are equal to 0. It is, the first one: > HTTP/1.0 302 Moved Temporarily > Server: Microsoft-IIS/5.0 > [...] > Location: http://blah/expired.htm > Content-Length: 0 > [...] > Connection: close It's a bug in mod_security. It is legal (according to the HTTP spec) to have a Content-Length of zero. > Is there a way to disable this warning other than by modifying the code ? No, there isn't. But that's not the problem because I will modify the code. You did not mention the version you are using: is it 1.8.7? If you want to try something from the 1.9 branch, 1.9 Release Candidate will be ready on Monday. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
From: Philippe B. <pbo...@ci...> - 2005-09-27 12:06:06
|
Re, >>HTTP/1.1 200 OK >>Server: Microsoft-IIS/5.0 >>Date: Tue, 27 Sep 2005 09:15:47 GMT >>Content-Type: image/gif >>Accept-Ranges: bytes >>Last-Modified: Sun, 27 Mar 2005 00:01:15 GMT >>ETag: "d0cf6f186c32c51:905" >>Content-Length: 76 >>GIF89 [ gif_content... ]=C7=F2L=D7=B6\;HTTP/1.1 400 Bad Request >>Server: Microsoft-IIS/5.0 >>Date: Tue, 27 Sep 2005 09:15:47 GMT >>Content-Type: text/html >>Content-Length: 80 > > This looks like the bug I just fixed a few days ago. In fact, I am > still waiting for the confirmation on that one. I can include the > fix for this in the version I wrap for you to test and you'll let > me know. > > But, mod_security should look at the bodies of GIF images, shouldn't > it? I don't think so... and why would that change the content-length anyway ? > Are you using SecFilterOutputMimeTypes to restrict output > filtering by MIME type? No, I don't need this, especially while filtering the output. >>Why does it say "content-length: 0" while none=20 >>of these content-length are equal to 0. > It's a bug in mod_security. It is legal (according to the HTTP spec) > to have a Content-Length of zero. OK >>Is there a way to disable this warning other than by modifying the code ? > > No, there isn't. But that's not the problem because I will modify > the code. You did not mention the version you are using: is it > 1.8.7? Yes, stable. > If you want to try something from the 1.9 branch, 1.9 Release > Candidate will be ready on Monday. Nice, I'll install it when it's released. Sincerely, Philippe Bourcier |
From: Ivan R. <iv...@we...> - 2005-09-27 12:11:15
|
Philippe Bourcier wrote: > >> But, mod_security should look at the bodies of GIF images, shouldn't >> it? > > I don't think so... and why would that change the content-length anyway ? It wouldn't, read on... >> Are you using SecFilterOutputMimeTypes to restrict output >> filtering by MIME type? > > No, I don't need this, especially while filtering the output. If you are not using it your proxy is wasting CPU cycles working through every image you serve. And you may encounter false positives too. Something like: SecFilterOutputMimeTypes "(null) text/plain text/html" would make sure images are untouched. In fact, this is the default value in 1.9. >> If you want to try something from the 1.9 branch, 1.9 Release >> Candidate will be ready on Monday. > > > Nice, I'll install it when it's released. Great. You'll see a message on this list when it is released. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |