Reputation: 8457
How can an HTTP 403 be returned from an apache web server input filter?
I have written an apache 2.x module that attempts to scan request bodies, and conditionally return 403 Forbidden if certain patterns match.
My first attempt used ap_hook_handler to intercept the request, scan it and then returned DECLINED to the real handler could take over (or 403 if conditions were met).
Problem with that approach is when I read the POST body of the request (using ap_get_client_block and friends), it apparently consumed body so that if the request was subsequently handled by mod_proxy, the body was gone.
I think the right way to scan the body would be to use an input filter, except an input filter can only return APR_SUCCESS or fail. Any return codes other than APR_SUCCESS get translated into HTTP 400 Bad Request.
I think maybe I can store a flag in the request notes if the input filter wants to fail the request, but I'm not sure which later hook to get that.
Upvotes: 2
Views: 369
Answers (1)
Reputation: 8457
turned out to be pretty easy - just drop an error bucket into the brigade:
apr_bucket_brigade *brigade = apr_brigade_create(f->r->pool, f->r->connection->bucket_alloc);
apr_bucket *bucket = ap_bucket_error_create(403, NULL, f->r->pool,
f->r->connection->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(brigade, bucket);
bucket = apr_bucket_eos_create(f->r->connection->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(brigade, bucket);
ap_pass_brigade(f->next, brigade);
Upvotes: 1
Related Questions
- How do I return a 403 Forbidden in Spring MVC?
- Is there a way to force apache to return 404 instead of 403?
- Blocked HTTP Methods are not returning HTTP 405 response
- simple form input triggers 403 forbidden page
- Apache 403 code with python parsing
- HTTP response code coming as 403 instead of 200, why?
- Apache - Require all denied HTTP status code
- Denying via 404 instead of 403
- 403 responses are OK?
- How to work around Http 403 error with Java?