Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-89707

mod_security with SecRequestBodyAccess prevents mod_deflate from decompressing request body

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhel-8.10
    • httpd
    • None
    • No
    • Low
    • 1
    • rhel-stacks-web-servers
    • ssg_core_services
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • _WS-Refined_
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      What were you trying to do that didn't work?

      If mod_security is added with SecRequestBodyAccess to a configuration with mod_deflate used as an input filter for request decompression, mod_deflate is no longer able to decompress the request.

      What is the impact of this issue to you?

      Configuration cannot work as desired with both mod_security and mod_deflate

      Please provide the package NVR for which the bug is seen:

      httpd-2.4.37-65.module+el8.10.0+22756+938009b1.3.x86_64

      How reproducible is this bug?:

      Always for compressed requests to an impacted configuration

      Steps to reproduce

      1. Configure mod_security in httpd along with mod_deflate.  Setting this with a simple ProxyPass back to the same httpd server and dumpio is an easy way to visualize and confirm if the request had been decompressed or not by the time the request was proxied out: 
        DumpIOInput On
DumpIOOutput On
LogLevel debug dumpio:trace7
SecRequestBodyAccess On
SetInputFilter DEFLATE 
ProxyPass /helloworld http://127.0.0.1:80/
      1. Create a simple compressed file and then try to post that via curl:
      $ echo "myrequestbody" | gzip > body.gz
$ curl -v -X POST -H 'Content-Encoding: gzip' --data-binary @body.gz localhost/helloworld/
      1. If this were done without mod_security/SecRequestBodyAccess, then dumpio debug will show the request body is consumed after some proxy handling in two read chunks (gzip header bytes then the rest of the data) by mod_deflate with a following mod_deflate message indicating it is inflated
      [Wed Apr 30 23:05:04.881336 2025] [proxy:debug] [pid 1479053:tid 1479186] proxy_util.c(2640): [client ::1:40666] AH00944: connecting http://127.0.0.1:8080/helloworld/HelloWorldPost to 127.0.0.1:8080
[Wed Apr 30 23:05:04.882037 2025] [proxy:debug] [pid 1479053:tid 1479186] proxy_util.c(2866): [client ::1:40666] AH00947: connected /helloworld/HelloWorldPost to 127.0.0.1:8080
[Wed Apr 30 23:05:04.882133 2025] [dumpio:trace7] [pid 1479053:tid 1479186] mod_dumpio.c(135): [client ::1:40666] mod_dumpio: dumpio_in [readbytes-blocking] 10 readbytes
[Wed Apr 30 23:05:04.882156 2025] [dumpio:trace7] [pid 1479053:tid 1479186] mod_dumpio.c(58): [client ::1:40666] mod_dumpio:  dumpio_in (data-HEAP): 10 bytes
[Wed Apr 30 23:05:04.882166 2025] [dumpio:trace7] [pid 1479053:tid 1479186] mod_dumpio.c(100): [client ::1:40666] mod_dumpio:  dumpio_in (data-HEAP): \x1f\x8b\b
[Wed Apr 30 23:05:04.882214 2025] [dumpio:trace7] [pid 1479053:tid 1479186] mod_dumpio.c(135): [client ::1:40666] mod_dumpio: dumpio_in [readbytes-blocking] 31 readbytes
[Wed Apr 30 23:05:04.882227 2025] [dumpio:trace7] [pid 1479053:tid 1479186] mod_dumpio.c(58): [client ::1:40666] mod_dumpio:  dumpio_in (data-HEAP): 31 bytes
[Wed Apr 30 23:05:04.882236 2025] [dumpio:trace7] [pid 1479053:tid 1479186] mod_dumpio.c(100): [client ::1:40666] mod_dumpio:  dumpio_in (data-HEAP): K\xcb\xcf\xb7MLJNJ,J\xce\xcf-(J-.NM\xe1\x02
[Wed Apr 30 23:05:04.882268 2025] [deflate:debug] [pid 1479053:tid 1479186] mod_deflate.c(1438): [client ::1:40666] AH01393: Zlib: Inflated 23 to 21 : URL /helloworld/HelloWorldPost 
...
// proxied output

[Wed Apr 30 23:05:04.882736 2025] [dumpio:trace7] [pid 1479053:tid 1479186] mod_dumpio.c(100): [remote 127.0.0.1:8080] mod_dumpio:  dumpio_out (data-POOL): POST /helloworld/HelloWorldPost HTTP/1.1\r\n
...
[Wed Apr 30 23:05:04.882956 2025] [dumpio:trace7] [pid 1479053:tid 1479186] mod_dumpio.c(100): [remote 127.0.0.1:8080] mod_dumpio:  dumpio_out (data-HEAP): myrequestbody\n

      If mod_security/SecRequestBodyAccess is enabled, then it shows the request body is consumed in one read instead even before the proxy scheme handler logs any debug output, there is no mod_deflate message, and dumpio shows the proxied request body is still compressed.

      Expected results

      Request body is decompressed by mod_deflate

      Actual results

      Request body is not decompressed by mod_deflate

              luhliari@redhat.com Lubos Uhliarik
              rhn-support-aogburn Aaron Ogburn
              Lubos Uhliarik Lubos Uhliarik
              Branislav Náter Branislav Náter
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: