mod_cache: Make sure that contradictory entity headers present in a 304

Not Modified response are caught and cause the entity to be removed.

trunk patch: http://svn.apache.org/r1479117
2.4.x patch: http://people.apache.org/~minfrin/httpd-mod_cache-304sanity.patch2.4.patch

Submitted by: minfrin
Reviewed by: jim, wrowe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1487118 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 9d2ef8dd1c4932e8fc864bd40db750580129a2dc..ee5b7cd724fbea72f375be9c3d8c3289d754df74 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.4.5
 
+  *) mod_cache: Make sure that contradictory entity headers present in a 304
+     Not Modified response are caught and cause the entity to be removed.
+     [Graham Leggett]
+
   *) mod_cache: Make sure Vary processing handles multivalued Vary headers and
      multivalued headers referred to via Vary. [Graham Leggett]
 

diff --git a/STATUS b/STATUS
index 4b4fbdc96d02f1673d8cc47017aa489c4b216a72..fcbc5821b9377412e59a648a97a49eaaecc10ba9 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -90,12 +90,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
  
-    * mod_cache: Make sure that contradictory entity headers present in a 304
-      Not Modified response are caught and cause the entity to be removed.
-      trunk patch: http://svn.apache.org/r1479117
-      2.4.x patch: http://people.apache.org/~minfrin/httpd-mod_cache-304sanity.patch2.4.patch
-      +1: minfrin, jim, wrowe
-
     * mod_cache: Honour Cache-Control: no-store in a request.
       trunk patch: http://svn.apache.org/r1479222
       2.4.x patch: http://people.apache.org/~minfrin/httpd-mod_cache-nostore2.4.patch

diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c
index e1626849765df367cbd30c677ce440b181f7d7a3..de61ba12c02548539deec68e5bf182f904909292 100644 (file)
--- a/modules/cache/mod_cache.c
+++ b/modules/cache/mod_cache.c
@@ -743,6 +743,22 @@ static int cache_save_store(ap_filter_t *f, apr_bucket_brigade *in,
     return rv;
 }
 
+/**
+ * Sanity check for 304 Not Modified responses, as per RFC2616 Section 10.3.5.
+ */
+static const char *cache_header_cmp(apr_pool_t *pool, apr_table_t *left,
+        apr_table_t *right, const char *key)
+{
+    const char *h1, *h2;
+
+    if ((h1 = cache_table_getm(pool, left, key))
+            && (h2 = cache_table_getm(pool, right, key)) && (strcmp(h1, h2))) {
+        return apr_pstrcat(pool, "contradiction: 304 Not Modified, but ", key,
+                " modified", NULL);
+    }
+    return NULL;
+}
+
 /*
  * CACHE_SAVE filter
  * ---------------
@@ -776,7 +792,7 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in)
     apr_time_t exp, date, lastmod, now;
     apr_off_t size = -1;
     cache_info *info = NULL;
-    char *reason;
+    const char *reason;
     apr_pool_t *p;
     apr_bucket *e;
     apr_table_t *headers;
@@ -1063,6 +1079,56 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in)
         /* or we've been asked not to cache it above */
         reason = "r->no_cache present";
     }
+    else if (r->status == HTTP_NOT_MODIFIED && cache->stale_handle) {
+        apr_table_t *left = cache->stale_handle->resp_hdrs;
+        apr_table_t *right = r->headers_out;
+
+        /* and lastly, contradiction checks for revalidated responses
+         * as per RFC2616 Section 10.3.5
+         */
+        if (((reason = cache_header_cmp(r->pool, left, right, "Allow")))
+                || ((reason = cache_header_cmp(r->pool, left, right,
+                        "Content-Encoding")))
+                || ((reason = cache_header_cmp(r->pool, left, right,
+                        "Content-Language")))
+                || ((reason = cache_header_cmp(r->pool, left, right,
+                        "Content-Length")))
+                || ((reason = cache_header_cmp(r->pool, left, right,
+                        "Content-Location")))
+                || ((reason = cache_header_cmp(r->pool, left, right,
+                        "Content-MD5")))
+                || ((reason = cache_header_cmp(r->pool, left, right,
+                        "Content-Range")))
+                || ((reason = cache_header_cmp(r->pool, left, right,
+                        "Content-Type")))
+                || ((reason = cache_header_cmp(r->pool, left, right, "Expires")))
+                || ((reason = cache_header_cmp(r->pool, left, right, "ETag")))
+                || ((reason = cache_header_cmp(r->pool, left, right,
+                        "Last-Modified")))) {
+            /* contradiction: 304 Not Modified, but entity header modified */
+        }
+    }
+
+    /**
+     * Enforce RFC2616 Section 10.3.5, just in case. We caught any
+     * inconsistencies above.
+     *
+     * If the conditional GET used a strong cache validator (see section
+     * 13.3.3), the response SHOULD NOT include other entity-headers.
+     * Otherwise (i.e., the conditional GET used a weak validator), the
+     * response MUST NOT include other entity-headers; this prevents
+     * inconsistencies between cached entity-bodies and updated headers.
+     */
+    if (r->status == HTTP_NOT_MODIFIED) {
+        apr_table_unset(r->headers_out, "Allow");
+        apr_table_unset(r->headers_out, "Content-Encoding");
+        apr_table_unset(r->headers_out, "Content-Language");
+        apr_table_unset(r->headers_out, "Content-Length");
+        apr_table_unset(r->headers_out, "Content-MD5");
+        apr_table_unset(r->headers_out, "Content-Range");
+        apr_table_unset(r->headers_out, "Content-Type");
+        apr_table_unset(r->headers_out, "Last-Modified");
+    }
 
     /* Hold the phone. Some servers might allow us to cache a 2xx, but
      * then make their 304 responses non cacheable. This leaves us in a