You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by br...@apache.org on 2002/11/08 10:24:00 UTC
cvs commit: httpd-2.0/modules/proxy proxy_http.c
brianp 2002/11/08 01:24:00
Modified: . CHANGES
modules/proxy proxy_http.c
Log:
When doing a GET of a proxied URL as a subrequest within
a POSTed request, don't send the original POST's Content-Length
as part of the header for the GET.
Revision Changes Path
1.971 +4 -0 httpd-2.0/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/httpd-2.0/CHANGES,v
retrieving revision 1.970
retrieving revision 1.971
diff -u -r1.970 -r1.971
--- CHANGES 7 Nov 2002 23:11:09 -0000 1.970
+++ CHANGES 8 Nov 2002 09:24:00 -0000 1.971
@@ -1,5 +1,9 @@
Changes with Apache 2.0.44
+ *) Fix a bug in which mod_proxy sent an invalid Content-Length
+ when a proxied URL was invoked as a server-side include within
+ a page generated in response to a form POST. [Brian Pane]
+
*) Added code to process min and max file size directives and to
init the expirychk flag in mod_disk_cache. Added a clarifying
comment to cache_util. [Paul J. Reder]
1.164 +19 -0 httpd-2.0/modules/proxy/proxy_http.c
Index: proxy_http.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/proxy/proxy_http.c,v
retrieving revision 1.163
retrieving revision 1.164
diff -u -r1.163 -r1.164
--- proxy_http.c 25 Oct 2002 20:58:55 -0000 1.163
+++ proxy_http.c 8 Nov 2002 09:24:00 -0000 1.164
@@ -597,7 +597,26 @@
|| !apr_strnatcasecmp(headers_in[counter].key, "If-None-Match")) {
continue;
}
+
+ /* If you POST to a page that gets server-side parsed
+ * by mod_include, and the parsing results in a reverse
+ * proxy call, the proxied request will be a GET, but
+ * its request_rec will have inherited the Content-Length
+ * of the original request (the POST for the enclosing
+ * page). We can't send the original POST's request body
+ * as part of the proxied subrequest, so we need to avoid
+ * sending the corresponding content length. Otherwise,
+ * the server to which we're proxying will sit there
+ * forever, waiting for a request body that will never
+ * arrive.
+ */
+ if ((r->method_number == M_GET) && headers_in[counter].key &&
+ !apr_strnatcasecmp(headers_in[counter].key,
+ "Content-Length")) {
+ continue;
+ }
}
+
buf = apr_pstrcat(p, headers_in[counter].key, ": ",
headers_in[counter].val, CRLF,
Re: cvs commit: httpd-2.0/modules/proxy proxy_http.c
Posted by Justin Erenkrantz <je...@apache.org>.
--On Friday, November 08, 2002 12:25:20 -0800 Brian Pane
<br...@cnet.com> wrote:
> put it. We don't necessarily want to reset the request
> Content-Length whenever we create a subrequest, because
> somebody might have a legitimate need to read the form
> post data within a server-side-included subrequest.
Hmm. I'm pretty sure that this has come up before, and we agreed that we
don't want to allow for this case. IIRC, there's something else (probably
input filters) which prevents this from happening anyway.
So, yeah, I think we should just remove content-length on all subreqs. --
justin
Re: cvs commit: httpd-2.0/modules/proxy proxy_http.c
Posted by Brian Pane <br...@cnet.com>.
I agree: it probably should be at a higher level. For now,
I made the change as localized as possible, in order to get
the proxy problem fixed quickly without breaking anything
else. But eventually the fix should probably be in the core.
The only problem is that I'm not sure where it's safe to
put it. We don't necessarily want to reset the request
Content-Length whenever we create a subrequest, because
somebody might have a legitimate need to read the form
post data within a server-side-included subrequest.
Brian
On Fri, 2002-11-08 at 08:53, William A. Rowe, Jr. wrote:
> It seems like this patch should be at a higher level. Don't we also
> have problems with POST to any other sort of included subrequest
> being transformed into a GET but retaining the content-length
> or other irrelevant (nasty) headers?
>
> Is there a more appropriate place to make this correction for the
> benefit of all sorts of subrequest includes?
>
> Bill
>
> At 03:24 AM 11/8/2002, brianp@apache.org wrote:
> >brianp 2002/11/08 01:24:00
> >
> > Modified: . CHANGES
> > modules/proxy proxy_http.c
> > Log:
> > When doing a GET of a proxied URL as a subrequest within
> > a POSTed request, don't send the original POST's Content-Length
> > as part of the header for the GET.
> >
> > Revision Changes Path
> > 1.971 +4 -0 httpd-2.0/CHANGES
> >
> > Index: CHANGES
> > ===================================================================
> > RCS file: /home/cvs/httpd-2.0/CHANGES,v
> > retrieving revision 1.970
> > retrieving revision 1.971
> > diff -u -r1.970 -r1.971
> > --- CHANGES 7 Nov 2002 23:11:09 -0000 1.970
> > +++ CHANGES 8 Nov 2002 09:24:00 -0000 1.971
> > @@ -1,5 +1,9 @@
> > Changes with Apache 2.0.44
> >
> > + *) Fix a bug in which mod_proxy sent an invalid Content-Length
> > + when a proxied URL was invoked as a server-side include within
> > + a page generated in response to a form POST. [Brian Pane]
> > +
> > *) Added code to process min and max file size directives and to
> > init the expirychk flag in mod_disk_cache. Added a clarifying
> > comment to cache_util. [Paul J. Reder]
> >
> >
> >
> > 1.164 +19 -0 httpd-2.0/modules/proxy/proxy_http.c
> >
> > Index: proxy_http.c
> > ===================================================================
> > RCS file: /home/cvs/httpd-2.0/modules/proxy/proxy_http.c,v
> > retrieving revision 1.163
> > retrieving revision 1.164
> > diff -u -r1.163 -r1.164
> > --- proxy_http.c 25 Oct 2002 20:58:55 -0000 1.163
> > +++ proxy_http.c 8 Nov 2002 09:24:00 -0000 1.164
> > @@ -597,7 +597,26 @@
> > || !apr_strnatcasecmp(headers_in[counter].key, "If-None-Match")) {
> > continue;
> > }
> > +
> > + /* If you POST to a page that gets server-side parsed
> > + * by mod_include, and the parsing results in a reverse
> > + * proxy call, the proxied request will be a GET, but
> > + * its request_rec will have inherited the Content-Length
> > + * of the original request (the POST for the enclosing
> > + * page). We can't send the original POST's request body
> > + * as part of the proxied subrequest, so we need to avoid
> > + * sending the corresponding content length. Otherwise,
> > + * the server to which we're proxying will sit there
> > + * forever, waiting for a request body that will never
> > + * arrive.
> > + */
> > + if ((r->method_number == M_GET) && headers_in[counter].key &&
> > + !apr_strnatcasecmp(headers_in[counter].key,
> > + "Content-Length")) {
> > + continue;
> > + }
> > }
> > +
> >
> > buf = apr_pstrcat(p, headers_in[counter].key, ": ",
> > headers_in[counter].val, CRLF,
> >
> >
> >
Re: cvs commit: httpd-2.0/modules/proxy proxy_http.c
Posted by "William A. Rowe, Jr." <wr...@apache.org>.
It seems like this patch should be at a higher level. Don't we also
have problems with POST to any other sort of included subrequest
being transformed into a GET but retaining the content-length
or other irrelevant (nasty) headers?
Is there a more appropriate place to make this correction for the
benefit of all sorts of subrequest includes?
Bill
At 03:24 AM 11/8/2002, brianp@apache.org wrote:
>brianp 2002/11/08 01:24:00
>
> Modified: . CHANGES
> modules/proxy proxy_http.c
> Log:
> When doing a GET of a proxied URL as a subrequest within
> a POSTed request, don't send the original POST's Content-Length
> as part of the header for the GET.
>
> Revision Changes Path
> 1.971 +4 -0 httpd-2.0/CHANGES
>
> Index: CHANGES
> ===================================================================
> RCS file: /home/cvs/httpd-2.0/CHANGES,v
> retrieving revision 1.970
> retrieving revision 1.971
> diff -u -r1.970 -r1.971
> --- CHANGES 7 Nov 2002 23:11:09 -0000 1.970
> +++ CHANGES 8 Nov 2002 09:24:00 -0000 1.971
> @@ -1,5 +1,9 @@
> Changes with Apache 2.0.44
>
> + *) Fix a bug in which mod_proxy sent an invalid Content-Length
> + when a proxied URL was invoked as a server-side include within
> + a page generated in response to a form POST. [Brian Pane]
> +
> *) Added code to process min and max file size directives and to
> init the expirychk flag in mod_disk_cache. Added a clarifying
> comment to cache_util. [Paul J. Reder]
>
>
>
> 1.164 +19 -0 httpd-2.0/modules/proxy/proxy_http.c
>
> Index: proxy_http.c
> ===================================================================
> RCS file: /home/cvs/httpd-2.0/modules/proxy/proxy_http.c,v
> retrieving revision 1.163
> retrieving revision 1.164
> diff -u -r1.163 -r1.164
> --- proxy_http.c 25 Oct 2002 20:58:55 -0000 1.163
> +++ proxy_http.c 8 Nov 2002 09:24:00 -0000 1.164
> @@ -597,7 +597,26 @@
> || !apr_strnatcasecmp(headers_in[counter].key, "If-None-Match")) {
> continue;
> }
> +
> + /* If you POST to a page that gets server-side parsed
> + * by mod_include, and the parsing results in a reverse
> + * proxy call, the proxied request will be a GET, but
> + * its request_rec will have inherited the Content-Length
> + * of the original request (the POST for the enclosing
> + * page). We can't send the original POST's request body
> + * as part of the proxied subrequest, so we need to avoid
> + * sending the corresponding content length. Otherwise,
> + * the server to which we're proxying will sit there
> + * forever, waiting for a request body that will never
> + * arrive.
> + */
> + if ((r->method_number == M_GET) && headers_in[counter].key &&
> + !apr_strnatcasecmp(headers_in[counter].key,
> + "Content-Length")) {
> + continue;
> + }
> }
> +
>
> buf = apr_pstrcat(p, headers_in[counter].key, ": ",
> headers_in[counter].val, CRLF,
>
>
>