[Bug 61820] New: 304 headers stripped

classic Classic list List threaded Threaded
33 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

--- Comment #16 from Ruediger Pluem <[hidden email]> ---
(In reply to Giovanni Bechis from comment #15)
> Shouldn't ETag be removed as well ?

ETag is not listed here:

https://github.com/httpwg/http-core/pull/337/files

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

--- Comment #17 from Giovanni Bechis <[hidden email]> ---
Maybe I am missing something but this is part of the code that has been
committed:

Caches MUST-NOT update the following header fields:
Content-Encoding,
Content-Length,
Content-MD5 ("RFC2616#14.15),
Content-Range,
ETag.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

--- Comment #18 from Ruediger Pluem <[hidden email]> ---
(In reply to Giovanni Bechis from comment #17)
> Maybe I am missing something but this is part of the code that has been
> committed:
>
> Caches MUST-NOT update the following header fields:
> Content-Encoding,
> Content-Length,
> Content-MD5 ("RFC2616#14.15),
> Content-Range,
> ETag.

My bad :-(. I missed ETag. You are correct.
So remove

TE
Trailer
Transfer-Encoding
Upgrade
Content-Encoding
Content-Length
Content-MD5
Content-Range
ETag

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

--- Comment #19 from Giovanni Bechis <[hidden email]> ---
Created attachment 37269
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37269&action=edit
Strip unwanted headers

Add a subprocess_env to restore old behaviour, uncertain about correct naming
and about where this should be documented.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

--- Comment #20 from Ruediger Pluem <[hidden email]> ---
I am not sure if we need to be able to provide the old behavior and if yes I
think the name of the environment variable should be "better" (whatever that
means, yes sweet naming discussions :-)).

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

--- Comment #21 from Giovanni Bechis <[hidden email]> ---
Honestly I do not think it makes sense to provide backward compatibility in
this case because it would deviate from the standard.
I am all for committing just the portion of the code that strips the correct
headers.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

Giovanni Bechis <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #37097|0                           |1
        is obsolete|                            |

--- Comment #22 from Giovanni Bechis <[hidden email]> ---
Created attachment 37345
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37345&action=edit
Strip unwanted headers without subprocess_env envvar

Strip unwanted headers without using a subprocess_env var to avoid this
behaviour

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

--- Comment #23 from Matt McCutchen <[hidden email]> ---
Thanks to everyone who worked or is working on this issue!  While we wait for
the fix to be committed and deployed to our web hosts (which I'm guessing may
take years), here's a workaround I plan to use on my site:

For each request, compute a "salt" string that uniquely identifies the relevant
response header values, and then emulate a resource whose ETag incorporates the
salt.  Thus, if a request returns a salted ETag that is found in the client's
cache, then the response headers in the cache are guaranteed to equal those
that would have appeared in the actual response if Apache didn't strip them.
Since a last-modified time cannot accommodate salt, the If-Modified-Since
request header must be dropped so that a 304 is not returned on that basis.

In general, the response headers and thus the salt could depend on both the
server configuration and the request headers.  In most scenarios, it's probably
easiest to represent the server configuration by an integer that is manually
incremented for each relevant change.  Request headers can just be concatenated
into the salt with any problematic characters suitably encoded.

Of course, we must ensure the client sends the request to the server in the
first place rather than fulfilling it from cache.  This is independent of the
current issue but probably worth reminding people about.  For a dependency on a
request header, we just merge its name into the Vary response header.  For a
change in server configuration, the best we can do is set the Cache-Control
max-age to ensure clients eventually find out about the change.

Here's a code example for a .htaccess file where, if the Origin request header
specifies an allowed origin, we want to set an equal
Access-Control-Allow-Origin response header.  The server configuration revision
is 42; we would increment the number if we changed the logic for generating
response headers.  I'm assuming no browser sends an Origin header with nasty
characters; this might need more research.  Please let me know if anything is
wrong with this example!

~~~~~~~~
SetEnv HEADER_CONFIG_REV 42
RewriteRule ^ - [E=ETAG_SALT:%{ENV:HEADER_CONFIG_REV}-%{HTTP:Origin}]
Header merge Vary Origin
Header set Cache-Control max-age=1200

# Our goal is to strip the salt from the If-None-Match and If-Match headers if
# it equals the current salt.  However, %{ETAG_SALT}e expansion in the regular
# expression is not supported, so we use the following hack: append the current
# salt to all ETags, and then if an ETag ends in two equal salts (as determined
# by a regular expression with a \1 backreference), strip both of them.  ETags
# that did not originally end with the current salt will be left with at least
# one salt and won't be able to match the real ETag, so their presence does not
# matter.
RequestHeader edit* If-None-Match "([^\ ])\"" "$1+%{ETAG_SALT}e\""
RequestHeader edit* If-None-Match "(\+[^+\" ]*)\1\"" "\""
RequestHeader edit* If-Match "([^\ ])\"" "$1+%{ETAG_SALT}e\""
RequestHeader edit* If-Match "(\+[^+\" ]*)\1\"" "\""
RequestHeader unset If-Modified-Since

# Always add the salt to the ETag response header.
Header edit ETag "\"$" "+%{ETAG_SALT}e\""

RewriteCond %{HTTP:Origin} ^https://(.+\.)?example\.com$
RewriteRule ^ - [E=ACAO:%{HTTP:Origin}]
Header set Access-Control-Allow-Origin %{ACAO}e env=ACAO
~~~~~~~~

When calling a CGI, some of this processing could probably be done in the CGI,
but I haven't tested that.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

Matt McCutchen <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

[hidden email] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

--- Comment #24 from Ruediger Pluem <[hidden email]> ---
(In reply to Giovanni Bechis from comment #22)
> Created attachment 37345 [details]
> Strip unwanted headers without subprocess_env envvar
>
> Strip unwanted headers without using a subprocess_env var to avoid this
> behaviour

Looks good. Can you commit?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

Giovanni Bechis <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk,
                   |                            |PatchAvailable

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61820] 304 headers stripped

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61820

--- Comment #25 from Michael Kaufmann <[hidden email]> ---
This has been fixed in http://svn.apache.org/r1881590 and
http://svn.apache.org/r1881624 .

Please backport to 2.4.x

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

12