You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/04/12 20:06:04 UTC

DO NOT REPLY [Bug 39287] New: - Incorrect If-Modified-Since validation (due to synthetic mtime?)

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39287>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39287

           Summary: Incorrect If-Modified-Since validation (due to synthetic
                    mtime?)
           Product: Apache httpd-1.3
           Version: HEAD
          Platform: All
               URL: http://www.mnot.net/cgi-bin/apache-ims.cgi
        OS/Version: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: issues.apache.org@mnot.net


Apache 1.3 (and 2.0, as far as I can see) calculates the modified time used to compare the If-Modified-
Since request header with and determine validation like this (in http_protocol.c ap_meets_conditions);

    mtime = (r->mtime != 0) ? r->mtime : time(NULL);

Later, this time is used to figure out if a 304 Not Modified is sent;

        if ((ims >= mtime) && (ims <= r->request_time)) {
            return HTTP_NOT_MODIFIED;

The problem is that Apache fakes the mtime to the current time if it can't find r->mtime (e.g., if it's a 
CGI script). If a client sends an If-Modified-Since header, I believe there's a race condition whereby an 
IMS containing the current time will get a 304 Not Modified, even though the underlying resource has 
no concept of mtime (i.e., it doesn't have a Last-Modified).

This can be demonstrated against the following script (at http://www.mnot.net/cgi-bin/apache-
ims.cgi):

#!/usr/local/bin/python
import os
print "Content-Type: text/plain"
print
print os.environ.get("HTTP_IF_MODIFIED_SINCE", "-")

using the following command-line for the client side;

~> URL="http://www.mnot.net/cgi-bin/apache-ims.cgi"; DATE=`curl -Is -X HEAD $URL | grep ^Date | 
cut -d ":" -f 2-`; echo "D-> $DATE"; curl -Is -H "If-Modified-Since: $DATE" $URL
D->  Wed, 12 Apr 2006 17:58:39 GMT
HTTP/1.1 304 Not Modified
Date: Wed, 12 Apr 2006 17:58:39 GMT
Server: Apache/1.3.29

As you can see, Apache incorrectly sends a 304 Not Modified when the If-Modified-Since request 
header is set to the current time. For a CGI script that changes on a sub-second basis (e.g., one used 
by AJAX), this reduces the granularity of responses to one second, confusing the implementor (because 
they don't expect a 304 Not Modified to ever be sent).

All of this would be largely a theoretical problem, because such a resource should never see an If-
Modified-Since request header, having not send a previous Last-Modified response header. However, 
Safari/OSX *does* send a If-Modified-Since request header based upon the Date response header when 
it doesn't find a Last-Modified response (a bug which I'm reporting to them now). 

Safari, of course, should fix themselves, but Apache is also somewhat broken here, as it should not 
default mtime to the current time (which may cause problems in other scenarios).

Note that while I see this behaviour on the mnot.net server (Apache 1.3.29), I've had trouble verifying it 
on other systems. I suspect that this is because it's a race condition, and therefore hard to reproduce; 
that said, it could be something on that particular server instance (it's a shared host, so I dont' have 
access to the source they've used). 

However, if I'm correct about the underlying reason, the code hasn't changed from then until HEAD, and 
is substantially the same in Apache 2.2.0.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 39287] - Incorrect If-Modified-Since validation (due to synthetic mtime?)

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39287>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39287





------- Additional Comments From issues.apache.org@mnot.net  2006-04-12 19:12 -------
BTW, there's nothing special about that script; I used the one I'm showing Apple's problem with, but it 
could easily be as simple as 

print "Content-Type: text/plain"
print 
print "hi!"

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org