Bug #1629
closedmod_accesslog does not log aborted POSTs
Description
If the client issues a POST and closes the connection before finishing the request, it will not get logged.
While I am not sure if it should be logged, this might pose minor security risks of having lighty webservers abused for upload speed tests.
Updated by stbuehler almost 16 years ago
connections.c:
case CON_STATE_ERROR: /* transient */
/* even if the connection was drop we still have to write it to the access log */
if (con->http_status) {
plugins_call_handle_response_done(srv, con);
}
I am not sure if we can call handle_response_done anyway - but you can try it if you want ;-)
Updated by gstrauss almost 8 years ago
- Description updated (diff)
- Status changed from New to Fixed
- Assignee deleted (
jan) - Target version changed from 1.5.0 to 1.4.40
Set server.max-request-size to limit the allowed size of POST request bodies.
In lighttpd 1.4.40, connection_handle_read() logs an error if there is an error in recv(), and it is responsibility of dynamic handlers to detect if POST is incomplete and to set con->http_status as it deems appropriate. Responses with con->http_status set are logged in accesslog (if accesslog is configured).
Also available in: Atom