mod_isapi/7082: Problematic handling of headers sent by an ISA

[Jesse Pelton <js...@pkc.com>]

>Number:         7082
>Category:       mod_isapi
>Synopsis:       Problematic handling of headers sent by an ISA
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Jan 17 08:00:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     jsp@pkc.com
>Release:        1.3.14
>Organization:
apache
>Environment:
Windows 2000
Microsoft Visual C++ 6.0 SP4
>Description:
Bug 3358 described a problem where Apache would send an extra blank line at the end of the response headers.  That problem has been fixed, and replaced by another that is pretty much the inverse.  If you use MFC's CHttpServer class, CHttpServer::HttpExtensionProc() thoughtfully appends the required blank header line, but it does so only after calling ServerSupportFunction(HSE_REQ_SEND_RESPONSE_HEADER,...).  This call fails under Apache unless there's already a blank line at the end of the headers.  It's a no-win situation: if you include a blank header, you end up with a blank line at the beginning of the response body (which might not be acceptable); if you don't include a blank header, Apache chokes.

The function that fails is ap_scan_script_header_err_core() in util_script.c.

MSDN seems to indicate that it's the ISA's responsibility to append a blank header, which is the way it really should be.  Unfortunately, that's not the way the MFC code actually works.  Another case of Microsoft trying to make things easier but succeeding only in making a mess.
>How-To-Repeat:
Use MSVC's wizard to create an empty ISA, then attempt to use it.  Specifically:
1) Launch MSVC.
2) Select File->New from the menu.
3) Click the "Projects" tab.
4) Select "ISAPI Extension Wizard" from the left-hand pane.
5) Specify a project name and location.
6) Click "OK."
7) Make sure "Generate a Server Extension object" is selected.
8) Click "Finish."
9) Click "OK."
10) Select "Build->Build [projectname].dll"
11) Put the DLL in a directory where Apache can find it.
12) Use a browser to fire it up.
>Fix:
Perhaps the header scanner could accept header strings that are not terminated with a blank line.  I imagine this would have extensive and nasty side-effects, though.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]