Allow processing of ErrorDocument#3514
Allow processing of ErrorDocument#3514JonathanBerrew wants to merge 1 commit intoowasp-modsecurity:v2/masterfrom
Conversation
|
There was a problem hiding this comment.
Pull request overview
Updates ModSecurity’s Apache2 utility helper for sending error buckets, apparently aiming to influence how Apache processes custom ErrorDocument responses during interception.
Changes:
- Modifies
send_error_bucket()to force the request status to200before emitting an Apache error bucket.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /* Set the status line explicitly for the error document */ | ||
| f->r->status_line = ap_get_status_line(status); | ||
| f->r->status = 200; |
There was a problem hiding this comment.
Setting f->r->status = 200 while also setting status_line to an error status and sending an error bucket makes the request status inconsistent with the intended error response. In particular, protocols like HTTP/2 rely on r->status (not status_line) to populate :status, which can cause intercepted/blocked responses to be sent as 200 OK. Align r->status with the status argument (or avoid overriding it here and let the error bucket handling set it), so the final response code matches the interception status and ErrorDocument processing works correctly.
| /* Set the status line explicitly for the error document */ | |
| f->r->status_line = ap_get_status_line(status); | |
| f->r->status = 200; | |
| /* Set the status explicitly for the error document */ | |
| f->r->status_line = ap_get_status_line(status); | |
| f->r->status = status; |
This is a Marc Stern modification, I don't have much more insight on the code he made. To be reviewed with caution and check if this is still relevant