On 19/04/2020 14:04, Rainer Jung wrote:
> It might be too simplistic, but the following at least stops the
> connection close (but I don't know, whether it also prevents it in cases
> where it should still be done):
>
> diff --git a/java/org/apache/coyote/http11/Http11Processor.java
> b/java/org/apache/coyote/http11/Http11Processor.java
> index aa1569cfdc..f38993b04d 100644
> --- a/java/org/apache/coyote/http11/Http11Processor.java
> +++ b/java/org/apache/coyote/http11/Http11Processor.java
> @@ -513,7 +513,7 @@ public class Http11Processor extends
> AbstractProcessor {
>
>
> private void checkExpectationAndResponseStatus() {
> - if (request.hasExpectation() &&
> + if (request.hasExpectation() && !isRequestBodyFullyRead() &&
> (response.getStatus() < 200 || response.getStatus() >
> 299)) {
> // Client sent Expect: 100-continue but received a
> // non-2xx final response. Disable keep-alive (if enabled)
>
> Regards,
>
> Rainer
That fix looks right to me.
The case we need to avoid is keeping keep-alive enabled when the client
and the server have a different view of how much of the request body has
been read as that can create request injection issues which are
particularly problematic behind a reverse proxy.
If the server knows it has read the entire body then the client
certainly knows it sent the entire body and all is well.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
