http://svn.apache.org/viewvc?view=revision&revision=917876 SECURITY: CVE-2010-0408 (cve.mitre.org) mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent after request headers indicate a request body is incoming; this is not a case of HTTP_INTERNAL_SERVER_ERROR. Submitted by: Niku Toivola <niku.toivola sulake.com> Reviewed by: rpluem, jim, wrowe Backports: r917875 --- modules/proxy/mod_proxy_ajp.c 2008-06-05 08:46:43.000000000 -0400 +++ modules/proxy/mod_proxy_ajp.c.oden 2010-03-02 09:50:52.000000000 -0500 @@ -231,7 +231,7 @@ static int ap_proxy_ajp_request(apr_pool ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "proxy: ap_get_brigade failed"); apr_brigade_destroy(input_brigade); - return HTTP_INTERNAL_SERVER_ERROR; + return HTTP_BAD_REQUEST; } /* have something */