You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/03/26 20:11:33 UTC
[Bug 65979] New: Connection is closed when keep-alive is specified
https://bz.apache.org/bugzilla/show_bug.cgi?id=65979
Bug ID: 65979
Summary: Connection is closed when keep-alive is specified
Product: Tomcat 9
Version: 9.0.60
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: major
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: patrickjamesbarry@gmail.com
Target Milestone: -----
When a user sends request headers-->
HTTP/1.1
Transfer-Encoding: chunked,
Connection: keep-alive,
Content-length = 12
Tomcat is ignoring content-length (which is correct), however, it is sending
back Connection: closed. This is wrong. This is because
org.apache.coyote.http11.Http11Processor, line 856 is setting keep-alive to
false. This is wrong. Please remove that line, or check to see if request is
requesting Connection to kept alive. The connection is getting closed, even
when a user is requesting it to be kept alive.
curl --location --request POST 'https://localhost:9010/test/v1/echo' \
--header 'Transfer-Encoding: chunked' \
--header 'Content-Length: 17' \
--header 'Content-Type: application/json' \
--data-raw '{"this": "fight"}' --http1.1
Response Headers sent back.
Content-Type: application/json
Transfer-Encoding: chunked
Date: Sat, 26 Mar 2022 20:06:11 GMT
Connection: close
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65979] Connection is closed when keep-alive is specified
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65979
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
As per RFC 7230:
<quote>
A sender MUST NOT send a Content-Length header field in any message that
contains a Transfer-Encoding header field.
</quote>
That is sufficient justification to reject such requests with a 400 response.
However, rather than reject the request, Tomcat opted to follow the same
approach as httpd and disable keep-alive.
Note RFC 7230 is stricter here than RFC 2616.
The connection is closed as a precaution to prevent any possible exploitation
of a request smuggling attack if a) Tomcat is behind a reverse proxy and b) the
reverse proxy incorrectly uses the content-length rather than chunked encoding.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65979] Connection is closed when keep-alive is specified
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65979
--- Comment #2 from Patrick <pa...@gmail.com> ---
Thank you for quick reply! Yes, familiar with RFC and just spent a few days
tracking this down. I understand where you guys are coming from. Suggestions
for improvement because I would hate someone else to have to track this down as
I did.
- Add logging statement at warn level indicating modification to request
- Add configurable attribute that would allow user to immediately fail request
with 400
- Document this behavior somewhere
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65979] Connection is closed when keep-alive is specified
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65979
--- Comment #3 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Patrick from comment #2)
> Thank you for quick reply! Yes, familiar with RFC and just spent a few days
> tracking this down. I understand where you guys are coming from. Suggestions
> for improvement because I would hate someone else to have to track this down
> as I did.
>
> - Add logging statement at warn level indicating modification to request
-1 DOS to log file
> - Add configurable attribute that would allow user to immediately fail
> request with 400
+1 patches are welcome
> - Document this behavior somewhere
How far should this go? We don't document every (any?) case of HTTP status
codes for other things.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65979] Connection is closed when keep-alive is specified
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65979
--- Comment #4 from Patrick <pa...@gmail.com> ---
The documentation could be paired with the introduction of the new attribute
that allows people to send back a 400 in this scenario. The reasoning behind
why the attribute was added would make people aware of what assumptions were
originally made and why this 'flag' might be more desirable to people.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org