https://issues.apache.org/bugzilla/show_bug.cgi?id=56326
Bug ID: 56326
Summary: cache_quick_handler does not serve responses with the
"Authorization" header
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_cache
Assignee: [email protected]
Reporter: [email protected]
Created attachment 31449
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31449&action=edit
Allow cache_quick_handler to serve authorized requests
The relevant standard is RFC2616, section 14.8. It specifies three situations
in which responses containing the Authorization header may be cached. In
cache_save_filter() these cases are handled correctly, but In
cache_quick_handler(), requests with an Authorization header are simply
declined near the beginning of processing:
/* find certain cache controlling headers */
auth = apr_table_get(r->headers_in, "Authorization");
/* First things first - does the request allow us to return
* cached information at all? If not, just decline the request.
*/
if (auth) {
return DECLINED;
}
No such check is performed in plain old cache_handler(). If you specify
"CacheQuickHandler off", responses with the header get served from the cache
just fine, provided they meet the appropriate conditions in the RFC.
This behavior is implied in a couple of places within the documentation, such
as in CacheQuickHandler ("...it allows the cache to be used in cases where full
processing is required, such as when content is subject to authorization"), but
I don't think it's ever explicitly stated. The caching guide even implies that
these responses should be cached: "If the response contains an "Authorization:"
header, it must also contain an "s-maxage", "must-revalidate" or "public"
option in the "Cache-Control:" header, or it won't be cached." Interestingly,
the 2.2 version of the doc also states that "If the request contains an
"Authorization:" header, the response will not be cached", but this stipulation
is removed in more recent versions.
The attached patch (against trunk) keeps the current behavior as default, but
includes a directive which allows serving cached authorized requests through
the quick handler. It may be that there's a good reason for keeping the check
in the quick handler, and that my patch is completely bogus; in that case, I
still think the doc should be changed to explicitly note this behavior.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
