mod_proxy_http violates RFC and common sense
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apache2 Web Server |
Fix Released
|
Medium
|
|||
apache2 (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: apache2
If I send a request containing the header "Expect: 100-continue" to a location that is directed to a backend HTTP server using mod_proxy_http, then the following happens:
The client sends the request:
PUT /some/path/
Expect: 100-continue
...
Then apache will respond with 100 Continue even though it hasn't even contacted the backend server yet.
100 Continue
Fine, the client will start sending the body now, because apache asked it to.
Meanwhile, apache will start contacting the backend server, using the Expect header:
PUT /some/path HTTP/1.1
Expect: 100-continue
...
X-Forwarded-For: and so on
Okay, the server now assumes there will be no body yet because of the Expect-header, and starts processing the request.
Then, unexpectedly, apache will continue sending the body, even though the server hasn't done anything yet. Now, if the server doesn't respond with "100 Continue", but, for example, with "401 Unauthorized", then the body will be interpreted as the next request. Apache however ignores any response from the server until it's done sending the body, at which point the server has been sending "400 Bad request" messages so fast that now both sides of the conversation are thoroughly confused and apache doesn't even bother to send a meaningful response to the client; all connections are eventually closed.
Arguably the confused state is partly caused by the backend server not closing the request after the "400" errors, but it *is* caused by apache misunderstanding the meaning of "Expect: 100-continue".
This is the apache configuration snipped used in this experiment:
<Location /some/path/>
ProxyPass http://
ProxyPassReverse http://
Order allow,deny
Allow from all
Deny from none
SetEnv proxy-interim-
SetEnv proxy-sendchunked 1
</Location>
And FYI, this is the start of the actual, captured request from the client:
PUT /kmx/pavis2.
Host: localhost
Accept-
User-Agent: Treparel KMX Patent Analytics suite/2.2.90
Content-Type: application/
Transfer-
Expect: 100-continue
Response from apache:
HTTP/1.1 100 Continue
Body sent by the client:
19000
(and so on, using chunked encoding).
ProblemType: Bug
Architecture: amd64
DistroRelease: Ubuntu 9.04
Package: apache2.2-common 2.2.11-2ubuntu2.2
ProcEnviron:
SHELL=/bin/zsh
PATH=(custom, user)
LC_COLLATE=C
LANG=nl_NL.UTF-8
LC_CTYPE=
SourcePackage: apache2
Uname: Linux 2.6.28-14-generic x86_64
Changed in apache2: | |
status: | Unknown → Confirmed |
Changed in apache2 (Ubuntu): | |
importance: | Undecided → Wishlist |
Changed in apache2: | |
importance: | Unknown → Medium |
status: | Confirmed → Fix Released |
Thank you for your bug report. This bug has been reported to the developers of the software. You can track it and make comments at:
https:/ /issues. apache. org/bugzilla/ show_bug. cgi?id= 47810