From: Graham Leggett Date: Tue, 28 May 2013 21:02:17 +0000 (+0000) Subject: mod_cache: Make sure that contradictory entity headers present in a 304 X-Git-Tag: 2.4.5~200 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d9d294f1bbc339a26ed62f735b73352e7d81acb0;p=apache mod_cache: Make sure that contradictory entity headers present in a 304 Not Modified response are caught and cause the entity to be removed. trunk patch: http://svn.apache.org/r1479117 2.4.x patch: http://people.apache.org/~minfrin/httpd-mod_cache-304sanity.patch2.4.patch Submitted by: minfrin Reviewed by: jim, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1487118 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 9d2ef8dd1c..ee5b7cd724 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.4.5 + *) mod_cache: Make sure that contradictory entity headers present in a 304 + Not Modified response are caught and cause the entity to be removed. + [Graham Leggett] + *) mod_cache: Make sure Vary processing handles multivalued Vary headers and multivalued headers referred to via Vary. [Graham Leggett] diff --git a/STATUS b/STATUS index 4b4fbdc96d..fcbc5821b9 100644 --- a/STATUS +++ b/STATUS @@ -90,12 +90,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_cache: Make sure that contradictory entity headers present in a 304 - Not Modified response are caught and cause the entity to be removed. - trunk patch: http://svn.apache.org/r1479117 - 2.4.x patch: http://people.apache.org/~minfrin/httpd-mod_cache-304sanity.patch2.4.patch - +1: minfrin, jim, wrowe - * mod_cache: Honour Cache-Control: no-store in a request. trunk patch: http://svn.apache.org/r1479222 2.4.x patch: http://people.apache.org/~minfrin/httpd-mod_cache-nostore2.4.patch diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c index e162684976..de61ba12c0 100644 --- a/modules/cache/mod_cache.c +++ b/modules/cache/mod_cache.c @@ -743,6 +743,22 @@ static int cache_save_store(ap_filter_t *f, apr_bucket_brigade *in, return rv; } +/** + * Sanity check for 304 Not Modified responses, as per RFC2616 Section 10.3.5. + */ +static const char *cache_header_cmp(apr_pool_t *pool, apr_table_t *left, + apr_table_t *right, const char *key) +{ + const char *h1, *h2; + + if ((h1 = cache_table_getm(pool, left, key)) + && (h2 = cache_table_getm(pool, right, key)) && (strcmp(h1, h2))) { + return apr_pstrcat(pool, "contradiction: 304 Not Modified, but ", key, + " modified", NULL); + } + return NULL; +} + /* * CACHE_SAVE filter * --------------- @@ -776,7 +792,7 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in) apr_time_t exp, date, lastmod, now; apr_off_t size = -1; cache_info *info = NULL; - char *reason; + const char *reason; apr_pool_t *p; apr_bucket *e; apr_table_t *headers; @@ -1063,6 +1079,56 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in) /* or we've been asked not to cache it above */ reason = "r->no_cache present"; } + else if (r->status == HTTP_NOT_MODIFIED && cache->stale_handle) { + apr_table_t *left = cache->stale_handle->resp_hdrs; + apr_table_t *right = r->headers_out; + + /* and lastly, contradiction checks for revalidated responses + * as per RFC2616 Section 10.3.5 + */ + if (((reason = cache_header_cmp(r->pool, left, right, "Allow"))) + || ((reason = cache_header_cmp(r->pool, left, right, + "Content-Encoding"))) + || ((reason = cache_header_cmp(r->pool, left, right, + "Content-Language"))) + || ((reason = cache_header_cmp(r->pool, left, right, + "Content-Length"))) + || ((reason = cache_header_cmp(r->pool, left, right, + "Content-Location"))) + || ((reason = cache_header_cmp(r->pool, left, right, + "Content-MD5"))) + || ((reason = cache_header_cmp(r->pool, left, right, + "Content-Range"))) + || ((reason = cache_header_cmp(r->pool, left, right, + "Content-Type"))) + || ((reason = cache_header_cmp(r->pool, left, right, "Expires"))) + || ((reason = cache_header_cmp(r->pool, left, right, "ETag"))) + || ((reason = cache_header_cmp(r->pool, left, right, + "Last-Modified")))) { + /* contradiction: 304 Not Modified, but entity header modified */ + } + } + + /** + * Enforce RFC2616 Section 10.3.5, just in case. We caught any + * inconsistencies above. + * + * If the conditional GET used a strong cache validator (see section + * 13.3.3), the response SHOULD NOT include other entity-headers. + * Otherwise (i.e., the conditional GET used a weak validator), the + * response MUST NOT include other entity-headers; this prevents + * inconsistencies between cached entity-bodies and updated headers. + */ + if (r->status == HTTP_NOT_MODIFIED) { + apr_table_unset(r->headers_out, "Allow"); + apr_table_unset(r->headers_out, "Content-Encoding"); + apr_table_unset(r->headers_out, "Content-Language"); + apr_table_unset(r->headers_out, "Content-Length"); + apr_table_unset(r->headers_out, "Content-MD5"); + apr_table_unset(r->headers_out, "Content-Range"); + apr_table_unset(r->headers_out, "Content-Type"); + apr_table_unset(r->headers_out, "Last-Modified"); + } /* Hold the phone. Some servers might allow us to cache a 2xx, but * then make their 304 responses non cacheable. This leaves us in a