[Bug 64265] New: ETag comparison does not properly implement RFC 7232, section 2.3.2

Wed, 25 Mar 2020 07:01:35 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=64265

            Bug ID: 64265
           Summary: ETag comparison does not properly implement RFC 7232,
                    section 2.3.2
           Product: Tomcat 8
           Version: 8.5.x-trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ----

The mentioned section provides two types of comparisons, strong and weak.

Here are the issues:
* It is not properly documented which comparison functions is applied by the
DefaultServlet
* I believe that Tomcat implements either wrong.

Here is the code in question:
> while (!conditionSatisfied && commaTokenizer.hasMoreTokens()) {
>       String currentToken = commaTokenizer.nextToken();
>       if (currentToken.trim().equals(eTag))
>               conditionSatisfied = true;
> }

This means that Tomcat performs char-by-char comparison. This already
contradicts both functions (likely). A simple example:

$ curl "https://.../test/test.txt"; -I
> HTTP/1.1 200
> Accept-Ranges: bytes
> ETag: W/"6-1585143822000"
> Last-Modified: Wed, 25 Mar 2020 13:43:42 GMT
> Content-Type: text/plain
> Content-Length: 6
> Date: Wed, 25 Mar 2020 13:55:50 GMT

Tomcat returns a weak etag, so try the weak function:
> $ curl "https://.../test/test.txt"; -H 'If-None-Match: W/"6-1585143822000"' -I
> HTTP/1.1 304
> ETag: W/"6-1585143822000"
> Date: Wed, 25 Mar 2020 13:58:01 GMT

This one should match with weak:
> $ curl "https://.../test/test.txt"; -H 'If-None-Match: "6-1585143822000"' -I
> HTTP/1.1 200
> Accept-Ranges: bytes
> ETag: W/"6-1585143822000"
> Last-Modified: Wed, 25 Mar 2020 13:43:42 GMT
> Content-Type: text/plain
> Content-Length: 6
> Date: Wed, 25 Mar 2020 13:58:28 GMT

but it doesn't. It still returns 200.

If I try strong logically, the following should give me a 200:
> $ curl "https://.../test/test.txt"; -H 'If-None-Match: W/"6-1585143822000"' -I
> HTTP/1.1 304
> ETag: W/"6-1585143822000"
> Date: Wed, 25 Mar 2020 13:59:24 GMT

but it doesn't. It still returns 304.

Am I wrong here?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to