I received a photo in the Conversations XMPP app on my Android phone, but the image was not shown. Instead I got a message
Bildgröße auf xmpp-files.cweiske.de prüfen
which translates to
Checking image size on xmpp-files.cweiske.de
The other XMPP client Dino showed the images, though.
In Conversations bug report #240 it was observed that the Content-Length header was missing, and my server exhibited the same problem:
$ curl -I 'https://xmpp-files.cweiske.de/share_v2.php/23/42.jpg HTTP/1.1 200 OK Date: Sat, 08 Jun 2024 12:38:47 GMT Server: Apache/2.4.59 (Debian) Access-Control-Allow-Methods: GET, PUT, OPTIONS Access-Control-Allow-Headers: Content-Type Access-Control-Max-Age: 7200 Access-Control-Allow-Origin: * Content-Security-Policy: "default-src 'none'" X-Content-Security-Policy: "default-src 'none'" X-WebKit-CSP: "default-src 'none'" Content-Type: image/jpeg
No Content-Length. I'm using the mod_http_upload_external Prosody module for file uploads together with the share_v2.php provided by it. That PHP script does set a Content-Length header, but nobody receives it!
Even a PHP script that only sends out a Content-Length header does not work:
<?php header('X-Test: 23'); header('Content-Length: 42');
$ curl -I https://xmpp-files.cweiske.de/test.php HTTP/1.1 200 OK Date: Sat, 08 Jun 2024 13:18:34 GMT Server: Apache/2.4.59 (Debian) X-Test: 23 Content-Type: text/html; charset=UTF-8
The header is missing.
The cause
Then I found Apache bug report #68973: Content-Length header missing in 2.4.59 is a breaking change which explained the symptom I experienced:
Apache version 2.4.59 fixed security issue CVE-2024-24795 by preventing CGI-like scripts (such as PHP) from sending out Content-Length headers.
A new environment variable ap_trust_cgilike_cl was introduced that restores to the old behavior.
Solution
I re-enabled the Content-Length header in my PHP applications by creating an apache configuration file
SetEnv ap_trust_cgilike_cl 1
enabling it and restarting apache2:
$ a2enconf cweiske-content-length $ systemctl reload apache2