Re: Connection close for POST after successful expectation and status 302

Mon, 20 Apr 2020 02:45:22 -0700 

Hi Mark, hi all,

Am 20.04.2020 um 11:15 schrieb Mark Thomas:

On 19/04/2020 14:04, Rainer Jung wrote:

It might be too simplistic, but the following at least stops the
connection close (but I don't know, whether it also prevents it in cases
where it should still be done):

diff --git a/java/org/apache/coyote/http11/Http11Processor.java
b/java/org/apache/coyote/http11/Http11Processor.java
index aa1569cfdc..f38993b04d 100644
--- a/java/org/apache/coyote/http11/Http11Processor.java
+++ b/java/org/apache/coyote/http11/Http11Processor.java
@@ -513,7 +513,7 @@ public class Http11Processor extends
AbstractProcessor {


      private void checkExpectationAndResponseStatus() {
-        if (request.hasExpectation() &&
+        if (request.hasExpectation() && !isRequestBodyFullyRead() &&
                  (response.getStatus() < 200 || response.getStatus() >
299)) {
              // Client sent Expect: 100-continue but received a
              // non-2xx final response. Disable keep-alive (if enabled)

Regards,

Rainer


That fix looks right to me.

The case we need to avoid is keeping keep-alive enabled when the client
and the server have a different view of how much of the request body has
been read as that can create request injection issues which are
particularly problematic behind a reverse proxy.

If the server knows it has read the entire body then the client
certainly knows it sent the entire body and all is well.
Soooo, what about in addition drop the non 2xx check. Even if we returned a 2xx, shouldn't we close if 

request.hasExpectation() && !isRequestBodyFullyRead()
It isn't very likely, that an application returns a 2xx before having read the body, but the limitation to non-2xx seems a bit artificial.
Thinking more about it: what is special here about the expectation case? If "!isRequestBodyFullyRead()" make sense as a condition term in these places, why bother for limiting it to "request.hasExpectation()"? Shouldn't then "!isRequestBodyFullyRead()" be the only check and we close the connection for any status code and even when we had no expectation? Depending on the detailed behavior of isRequestBodyFullyRead() we might need to add a check, if the request had a body at all. What do you think? 

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to