This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 86af4ebf8a Fix 68228 - return a 408 after a read timeout
86af4ebf8a is described below
commit 86af4ebf8a5bff5dd51f6c4dff0fbcac9ed93b20
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Dec 4 11:06:17 2023 +0000
Fix 68228 - return a 408 after a read timeout
This isn't a complete fix as it doesn't allow the user to control the
status code after an IOException during read.
---
.../org/apache/catalina/connector/InputBuffer.java | 8 +-
.../catalina/connector/TestClientReadTimeout.java | 120 +++++++++++++++++++++
webapps/docs/changelog.xml | 5 +
3 files changed, 132 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/connector/InputBuffer.java
b/java/org/apache/catalina/connector/InputBuffer.java
index a674a7183c..3957ec93c2 100644
--- a/java/org/apache/catalina/connector/InputBuffer.java
+++ b/java/org/apache/catalina/connector/InputBuffer.java
@@ -18,6 +18,7 @@ package org.apache.catalina.connector;
import java.io.IOException;
import java.io.Reader;
+import java.net.SocketTimeoutException;
import java.nio.Buffer;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
@@ -27,6 +28,7 @@ import java.util.concurrent.ConcurrentHashMap;
import jakarta.servlet.ReadListener;
import jakarta.servlet.RequestDispatcher;
+import jakarta.servlet.http.HttpServletResponse;
import org.apache.coyote.ActionCode;
import org.apache.coyote.BadRequestException;
@@ -313,7 +315,11 @@ public class InputBuffer extends Reader implements
ByteChunk.ByteInputChannel, A
Request request = (Request)
coyoteRequest.getNote(CoyoteAdapter.ADAPTER_NOTES);
Response response = request.getResponse();
request.setAttribute(RequestDispatcher.ERROR_EXCEPTION, e);
- response.sendError(400);
+ if (e instanceof SocketTimeoutException) {
+ response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT);
+ } else {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ }
}
diff --git a/test/org/apache/catalina/connector/TestClientReadTimeout.java
b/test/org/apache/catalina/connector/TestClientReadTimeout.java
new file mode 100644
index 0000000000..ff535a032e
--- /dev/null
+++ b/test/org/apache/catalina/connector/TestClientReadTimeout.java
@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.connector;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.net.Socket;
+import java.nio.charset.StandardCharsets;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.core.StandardHost;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+
+
+public class TestClientReadTimeout extends TomcatBaseTest {
+
+ static Tomcat tomcat;
+
+ @Test
+ public void testTimeoutGets408() throws IOException, LifecycleException {
+ // Setup Tomcat instance
+ Tomcat tomcat = getTomcatInstance();
+
+ // No file system docBase required
+ Context ctx = tomcat.addContext("", null);
+
+ ((StandardHost) tomcat.getHost()).setErrorReportValveClass(null);
+
+ Tomcat.addServlet(ctx, "TestServlet", new SyncServlet());
+ ctx.addServletMappingDecoded("/*", "TestServlet");
+
+ tomcat.start();
+
+ try (Socket s = new Socket("localhost", getPort())) {
+ String request = "GET /async HTTP/1.1\r\nHost:
localhost\r\ncontent-length: 101\r\n\r\n";
+ sendBadRequest(s, request, 408);
+ }
+ }
+
+ private static void sendBadRequest(Socket socket, String request, int
expectedStatusCode) throws IOException {
+ OutputStream os = socket.getOutputStream();
+ os.write(request.getBytes(StandardCharsets.UTF_8));
+ InputStream is = socket.getInputStream();
+ BufferedReader reader = new BufferedReader(new InputStreamReader(is,
StandardCharsets.UTF_8));
+ String opening = reader.readLine();
+ Assert.assertNotNull(opening, "Didn't get back a response");
+ StringBuilder sb = new StringBuilder(opening);
+
+ try {
+ Assert.assertTrue("expected status code " + expectedStatusCode + "
but got " + opening,
+ opening.startsWith("HTTP/1.1 " + expectedStatusCode));
+ boolean connectionClose = false;
+ while (reader.ready()) {
+ String line = reader.readLine();
+ if (line == null) {
+ break;
+ }
+
+ sb.append("\n").append(line);
+ if ("connection: close".equalsIgnoreCase(line)) {
+ connectionClose = true;
+ }
+
+ Assert.assertFalse(line.contains("Exception Report"));
+ Assert.assertFalse(line.contains("Status Report"));
+ }
+
+ Assert.assertTrue("No 'Connection: close' header seen",
connectionClose);
+ } catch (Throwable t) {
+ Assert.fail("Response:\n" + sb);
+ t.printStackTrace();
+ }
+ }
+
+ static final class SyncServlet extends HttpServlet {
+
+ private static final long serialVersionUID = 1L;
+
+ @Override
+ protected void service(HttpServletRequest req, HttpServletResponse
resp) throws ServletException, IOException {
+ try {
+ while (req.getInputStream().read() != -1) {
+ // NO-OP - Any data read is ignored
+ }
+ resp.setStatus(200);
+ resp.flushBuffer();
+ } catch (ClientAbortException e) {
+ //resp.sendError(408);
+ }
+ }
+ }
+
+}
\ No newline at end of file
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3eecf9f9b9..d2f298faf8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -132,6 +132,11 @@
called if <code>AsyncListener.onError()</code> calls
<code>AsyncContext.dispatch()</code>. (markt)
</fix>
+ <fix>
+ <bug>68228</bug>: Use a 408 status code if a read timeout occurs during
+ HTTP request processing. Includes a test case based on code provided by
+ adwsingh. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
