Apache2::Const::CONN_CLOSE & Apache 2.2

TOD has asked for the wisdom of the Perl Monks concerning the following question:

hi all,

i have a very special question and am not sure whether this is the right place to put it, but at least i should try.

i'm running a web application on a debian "sid" box with apache 2.0 and mod_perl2. in order to provide the app with a protection against flooding, the server has to shut down the connection if a client requeststs more than one page per second. the respective code is:

   my $r = shift;
   [...]
   my $time = time;
   if ($session->{LAST_REQUEST} >= $time - 1) {
      $r->connection->keepalive(Apache2::Const::CONN_CLOSE);
      ModPerl::Util::exit(0);
   }
   else {
      $session->{LAST_REQUEST} = $time;
   }
   [...]
[download]

quite unspectacular so far. the result is as predictable: the browser displays a blank page instead of the requested document.

a few days ago i set up a new box with the latest debian packages containing apache 2.2 and mod_perl2. and now a funny thing happens: when the server closes the connection, my firefox 2.0 browser doesn't display the blank page, but offers to download the perl sources instead. funnier: these downloads do not appear in the server's log files. even more funny: this happens with firefox only. opera 9 behaves as expected. i consider this a serious security risk. but on whose side? apache, mod_perl or firefox? and are there any workarounds?

Comment on Apache2::Const::CONN_CLOSE & Apache 2.2 Download Code

Replies are listed 'Best First'.
Re: Apache2::Const::CONN_CLOSE & Apache 2.2 by shmem (Chancellor) on Jan 16, 2007 at 10:03 UTC
On my box, that also happens with a plain cgi script that fails to compile: firefox downloads it. I'm digging into that... (...) Hm. The downloaded "script" just contains the the ErrorDocument (500 Internal Server Error). It is not displayed because it's Content-type reads `application/x-perl`. I guess it's a bug (or a config issue?) in apache - it serves an error page with the wrong header. It should set `Content-type: text/html` when serving an error document. What is the content in your case? <update> Well, just in case... seems to be a `mod_mime` issue. It seems that even for error documents served instead of failed cgi output, the mime type is set according to the cgi file extension (brr!). This might help: Sniff the traffic with e.g. wireshark (formerly ethereal) and look what apache sends as `Content-type` in the response header. Search for the directive `TypesConfig` in your apache configuration files. In the file that is configured under this term, search for the mime type apache sent in the header comment out that line change the `DefaultType` in your apache config to `text/html` (or `text/plain`) </update> --shmem _($_=" "x(1<<5)."?\n".q·/)Oo. G°\ / /\_¯/(q / ---------------------------- \__(m.====·.(_("always off the crowd"))."· ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}	[reply] [d/l] [select]
Re: Apache2::Const::CONN_CLOSE & Apache 2.2 by Corion (Patriarch) on Jan 16, 2007 at 09:35 UTC
Another thing to look at is, of course, the difference in the network traffic between Opera and FireFox. Get a network sniffer to look at the traffic and look at what LWP `get` and/or `wget` output. I think that maybe FireFox helpfully hits a different webserver, like `www.example.com` after failing with `example.com` so you might be looking at the wrong server logs. The best way would be to confirm this with a network sniffer. You should sprinkle the code in question with log messages to make sure it takes the path you think it does. Also, maybe reduce your `httpd.conf` and your Perl code to a minimal example. As you don't send any reply to the user hitting your rate limit, maybe the browser just makes something up, like `Content-Type: text/plain`. I would try to send a 302 redirect to Google or whatever instead of silently failing, at least for testing out the whole situation. I'm not sure how the Apache logging handles `ModPerl::Util::exit` calls.	[reply] [d/l] [select]
Re: Apache2::Const::CONN_CLOSE & Apache 2.2 by spatterson (Pilgrim) on Jan 16, 2007 at 09:39 UTC
It might be worth installing the Live HTTP Headers extension http://livehttpheaders.mozdev.org/ for firefox to see what its requesting. just another cpan module author	[reply]
Re: Apache2::Const::CONN_CLOSE & Apache 2.2 by perrin (Chancellor) on Jan 16, 2007 at 15:18 UTC
It's not really going to download the source. It's just getting confused by the headers you're sending.	[reply]
Re: Apache2::Const::CONN_CLOSE & Apache 2.2 by Anonymous Monk on Jan 16, 2007 at 09:24 UTC
but offers to download the perl sources instead Download to make sure.	[reply]
Re: Apache2::Const::CONN_CLOSE & Apache 2.2 by Anonymous Monk on Jan 17, 2007 at 08:06 UTC
@shmem & perrin you both hit the mark. i inserted a `$r->content_type('text/plain')` and firefox displayed the blank page. thx a lot for your idea! :) nevertheless that should be considered a bug.	[reply] [d/l]