svn commit: r1540689 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/coyote/http11/AbstractHttp11Processor.java webapps/docs/changelog.xml

Mon, 11 Nov 2013 04:15:45 -0800 

Author: markt
Date: Mon Nov 11 12:14:15 2013
New Revision: 1540689

URL: http://svn.apache.org/r1540689
Log:
If a request that includes an "Expect: 100-continue" header receives anything 
other than a 2xx response, close the connection.
This protects against mis-behaving clients that may not sent the request body 
in that case and send the next request instead.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1540687

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java?rev=1540689&r1=1540688&r2=1540689&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java 
Mon Nov 11 12:14:15 2013
@@ -1082,6 +1082,18 @@ public abstract class AbstractHttp11Proc
                     // thread if the servlet has rejected it.
                     getInputBuffer().setSwallowInput(false);
                 }
+                if (response.getStatus() < 200 || response.getStatus() > 299) {
+                    if (expectation) {
+                        // Client sent Expect: 100-continue but received a
+                        // non-2xx response. Disable keep-alive (if enabled) to
+                        // ensure the connection is closed. Some clients may
+                        // still send the body, some may send the next request.
+                        // No way to differentiate, so close the connection to
+                        // force the client to send the next request.
+                        getInputBuffer().setSwallowInput(false);
+                        keepAlive = false;
+                    }
+                }
                 endRequest();
             }
 

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1540689&r1=1540688&r2=1540689&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Nov 11 12:14:15 2013
@@ -153,6 +153,12 @@
         is disabled in the <code>AprLifecycleListener</code> and SSL is
         configured for an APR/native connector. (markt)
       </fix>
+      <add>
+        If a request that includes an <code>Expect: 100-continue</code> header
+        receives anything other than a 2xx response, close the connection This
+        protects against misbehaving clients that may not sent the request body
+        in that case and send the next request instead. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Cluster">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to