Author: markt
Date: Mon Nov 11 12:14:15 2013
New Revision: 1540689
URL: http://svn.apache.org/r1540689
Log:
If a request that includes an "Expect: 100-continue" header receives anything
other than a 2xx response, close the connection.
This protects against mis-behaving clients that may not sent the request body
in that case and send the next request instead.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1540687
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java?rev=1540689&r1=1540688&r2=1540689&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
Mon Nov 11 12:14:15 2013
@@ -1082,6 +1082,18 @@ public abstract class AbstractHttp11Proc
// thread if the servlet has rejected it.
getInputBuffer().setSwallowInput(false);
}
+ if (response.getStatus() < 200 || response.getStatus() > 299) {
+ if (expectation) {
+ // Client sent Expect: 100-continue but received a
+ // non-2xx response. Disable keep-alive (if enabled) to
+ // ensure the connection is closed. Some clients may
+ // still send the body, some may send the next request.
+ // No way to differentiate, so close the connection to
+ // force the client to send the next request.
+ getInputBuffer().setSwallowInput(false);
+ keepAlive = false;
+ }
+ }
endRequest();
}
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1540689&r1=1540688&r2=1540689&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Nov 11 12:14:15 2013
@@ -153,6 +153,12 @@
is disabled in the <code>AprLifecycleListener</code> and SSL is
configured for an APR/native connector. (markt)
</fix>
+ <add>
+ If a request that includes an <code>Expect: 100-continue</code> header
+ receives anything other than a 2xx response, close the connection This
+ protects against misbehaving clients that may not sent the request body
+ in that case and send the next request instead. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Cluster">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
