httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 10128] New: - 1.3.26 (somebody updating bugzilla?): mod_proxy, no-cache and 304
Date Fri, 21 Jun 2002 15:34:28 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10128

1.3.26 (somebody updating bugzilla?): mod_proxy, no-cache and 304

           Summary: 1.3.26 (somebody updating bugzilla?): mod_proxy, no-
                    cache and 304
           Product: Apache httpd-1.3
           Version: 1.3.25
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: Other
         Component: mod_proxy
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: ast@domdv.de


Reported to the old bug database for 1.3.23 this bug is happily alive and has
been ignored with the usual Apache arrogance as all other bugs I did report
(/dev/null is definitely more responsive):

When using mod_proxy and a cache try the following:

1. Empty the cache of mod_proxy
2. Retrieve http://alles.quoka.de/ with some client via the proxy, e.g. use
   curl -i -x <apache-proxy-address-and-port> http://alles.quoka.de/
3. Repeat 2 as long as you wish. You will get an empty document.

The prerequisite for this to happen is that the remote server sets a
"Cache-Control: no-cache" header. When mod_proxy then does validate
the cache contents on a subsequent request the remote server sends a 304
reponse with a content length of 0 to mod_proxy which in turn happily stores
the "new and improved" body information to the cache

For those not understanding what's going on here's the (truncated) output
of the first page retrieval:

ast@castor:~ > curl -i -x zeus.lan.domdv.de:8080 http://alles.quoka.de/
HTTP/1.1 200 OK
Date: Fri, 21 Jun 2002 11:31:45 GMT
Server: Microsoft-IIS/4.0
Cache-Control: no-cache
Expires: Fri, 21 Jun 2002 11:19:40 GMT
Content-Location: http://alles.quoka.de/index.html
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Tue, 28 May 2002 14:34:31 GMT
ETag: "822c9dc7546c21:1d495"
Content-Length: 19143
X-Cache: MISS from host001-server-1.lan.domdv.de

<HTML>
<head>
[snip]

Now we do a subsequent request for the same page (not truncated, mod_proxy
does this for us):

ast@castor:~ > curl -i -x zeus.lan.domdv.de:8080 http://alles.quoka.de/
HTTP/1.1 200 OK
Date: Fri, 21 Jun 2002 11:31:53 GMT
Server: Microsoft-IIS/4.0
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Tue, 28 May 2002 14:34:31 GMT
Cache-Control: no-cache
Expires: Fri, 21 Jun 2002 11:19:48 GMT
Content-Location: http://alles.quoka.de/index.html
ETag: "822c9dc7546c21:1d495"
Content-Length: 0
X-Cache: HIT from host001-server-1.lan.domdv.de (with revalidation)

ast@castor:~ >


Cute, isn't it. So to DoS an Apache mod_proxy installation you only need
to include "Cache-Control: no-cache" in the headers and you won't be bothered
by these itty gritty installations anymore.

Now for these preferring to read network traces here's a dump (truncated)
of the same story:

0x0000   4500 0102 0569 4000 4006 d85c 5084 73b4        E....i@.@..\P.s.
0x0010   d9ed be0a 09a1 0050 73a1 2311 1339 a2b6        .......Ps.#..9..
0x0020   5018 16b0 26ee 0000 4745 5420 2f20 4854        P...&...GET./.HT
0x0030   5450 2f31 2e31 0d0a 486f 7374 3a20 616c        TP/1.1..Host:.al
0x0040   6c65 732e 7175 6f6b 612e 6465 0d0a 4163        les.quoka.de..Ac
0x0050   6365 7074 3a20 696d 6167 652f 6769 662c        cept:.image/gif,
0x0060   2069 6d61 6765 2f78 2d78 6269 746d 6170        .image/x-xbitmap
0x0070   2c20 696d 6167 652f 6a70 6567 2c20 696d        ,.image/jpeg,.im
0x0080   6167 652f 706a 7065 672c 202a 2f2a 0d0a        age/pjpeg,.*/*..
0x0090   5072 6167 6d61 3a20 6e6f 2d63 6163 6865        Pragma:.no-cache
0x00a0   0d0a 5573 6572 2d41 6765 6e74 3a20 6375        ..User-Agent:.cu
0x00b0   726c 2f37 2e39 2e35 2028 6936 3836 2d70        rl/7.9.5.(i686-p
0x00c0   632d 6c69 6e75 782d 676e 7529 206c 6962        c-linux-gnu).lib
0x00d0   6375 726c 2037 2e39 2e35 2028 4f70 656e        curl.7.9.5.(Open
0x00e0   5353 4c20 302e 392e 3662 290d 0a43 6f6e        SSL.0.9.6b)..Con
0x00f0   6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a        nection:.close..


0x0000   4500 05d4 c02e 4000 7b06 ddc4 d9ed be0a        E.....@.{.......
0x0010   5084 73b4 0050 09a1 1339 a2b6 73a1 23eb        P.s..P...9..s.#.
0x0020   5010 212e a598 0000 4854 5450 2f31 2e31        P.!.....HTTP/1.1
0x0030   2032 3030 204f 4b0d 0a53 6572 7665 723a        .200.OK..Server:
0x0040   204d 6963 726f 736f 6674 2d49 4953 2f34        .Microsoft-IIS/4
0x0050   2e30 0d0a 4361 6368 652d 436f 6e74 726f        .0..Cache-Contro
0x0060   6c3a 206e 6f2d 6361 6368 650d 0a45 7870        l:.no-cache..Exp
0x0070   6972 6573 3a20 4672 692c 2032 3120 4a75        ires:.Fri,.21.Ju
0x0080   6e20 3230 3032 2031 313a 3533 3a32 3220        n.2002.11:53:22.
0x0090   474d 540d 0a43 6f6e 6e65 6374 696f 6e3a        GMT..Connection:
0x00a0   2063 6c6f 7365 0d0a 436f 6e74 656e 742d        .close..Content-
0x00b0   4c6f 6361 7469 6f6e 3a20 6874 7470 3a2f        Location:.http:/
0x00c0   2f61 6c6c 6573 2e71 756f 6b61 2e64 652f        /alles.quoka.de/
0x00d0   696e 6465 782e 6874 6d6c 0d0a 4461 7465        index.html..Date
0x00e0   3a20 4672 692c 2032 3120 4a75 6e20 3230        :.Fri,.21.Jun.20
0x00f0   3032 2031 313a 3533 3a32 3220 474d 540d        02.11:53:22.GMT.
0x0100   0a43 6f6e 7465 6e74 2d54 7970 653a 2074        .Content-Type:.t
0x0110   6578 742f 6874 6d6c 0d0a 4163 6365 7074        ext/html..Accept
0x0120   2d52 616e 6765 733a 2062 7974 6573 0d0a        -Ranges:.bytes..
0x0130   4c61 7374 2d4d 6f64 6966 6965 643a 2054        Last-Modified:.T
0x0140   7565 2c20 3238 204d 6179 2032 3030 3220        ue,.28.May.2002.
0x0150   3134 3a33 343a 3331 2047 4d54 0d0a 4554        14:34:31.GMT..ET
0x0160   6167 3a20 2238 3232 6339 6463 3735 3436        ag:."822c9dc7546
0x0170   6332 313a 3164 3439 3522 0d0a 436f 6e74        c21:1d495"..Cont
0x0180   656e 742d 4c65 6e67 7468 3a20 3139 3134        ent-Length:.1914
0x0190   330d 0a0d 0a3c 4854 4d4c 3e0a 3c68 6561        3....<HTML>.<hea
0x01a0   643e 0a3c 212d 2d20 456e 7477 6963 6b6c        d>.<!--.Entwickl

And the subsequent request...

0x0000   4500 015b 81ea 4000 4006 5b82 5084 73b4        E..[..@.@.[.P.s.
0x0010   d9ed be0a 09a2 0050 7b65 d25b 134b 5aaa        .......P{e.[.KZ.
0x0020   5018 16b0 6b05 0000 4745 5420 2f20 4854        P...k...GET./.HT
0x0030   5450 2f31 2e31 0d0a 486f 7374 3a20 616c        TP/1.1..Host:.al
0x0040   6c65 732e 7175 6f6b 612e 6465 0d0a 4163        les.quoka.de..Ac
0x0050   6365 7074 3a20 696d 6167 652f 6769 662c        cept:.image/gif,
0x0060   2069 6d61 6765 2f78 2d78 6269 746d 6170        .image/x-xbitmap
0x0070   2c20 696d 6167 652f 6a70 6567 2c20 696d        ,.image/jpeg,.im
0x0080   6167 652f 706a 7065 672c 202a 2f2a 0d0a        age/pjpeg,.*/*..
0x0090   5072 6167 6d61 3a20 6e6f 2d63 6163 6865        Pragma:.no-cache
0x00a0   0d0a 5573 6572 2d41 6765 6e74 3a20 6375        ..User-Agent:.cu
0x00b0   726c 2f37 2e39 2e35 2028 6936 3836 2d70        rl/7.9.5.(i686-p
0x00c0   632d 6c69 6e75 782d 676e 7529 206c 6962        c-linux-gnu).lib
0x00d0   6375 726c 2037 2e39 2e35 2028 4f70 656e        curl.7.9.5.(Open
0x00e0   5353 4c20 302e 392e 3662 290d 0a49 662d        SSL.0.9.6b)..If-
0x00f0   4d6f 6469 6669 6564 2d53 696e 6365 3a20        Modified-Since:.
0x0100   5475 652c 2032 3820 4d61 7920 3230 3032        Tue,.28.May.2002
0x0110   2031 343a 3334 3a33 3120 474d 540d 0a49        .14:34:31.GMT..I
0x0120   662d 4e6f 6e65 2d4d 6174 6368 3a20 2238        f-None-Match:."8
0x0130   3232 6339 6463 3735 3436 6332 313a 3164        22c9dc7546c21:1d
0x0140   3439 3522 0d0a 436f 6e6e 6563 7469 6f6e        495"..Connection
0x0150   3a20 636c 6f73 650d 0a0d 0a                    :.close....


0x0000   4500 013e 3579 4000 7b06 6d10 d9ed be0a        E..>5y@.{.m.....
0x0010   5084 73b4 0050 09a2 134b 5aaa 7b65 d38e        P.s..P...KZ.{e..
0x0020   5018 20d5 d9a9 0000 4854 5450 2f31 2e31        P.......HTTP/1.1
0x0030   2033 3034 204e 6f74 204d 6f64 6966 6965        .304.Not.Modifie
0x0040   640d 0a53 6572 7665 723a 204d 6963 726f        d..Server:.Micro
0x0050   736f 6674 2d49 4953 2f34 2e30 0d0a 4461        soft-IIS/4.0..Da
0x0060   7465 3a20 4672 692c 2032 3120 4a75 6e20        te:.Fri,.21.Jun.
0x0070   3230 3032 2031 313a 3535 3a31 3820 474d        2002.11:55:18.GM
0x0080   540d 0a43 6163 6865 2d43 6f6e 7472 6f6c        T..Cache-Control
0x0090   3a20 6e6f 2d63 6163 6865 0d0a 4578 7069        :.no-cache..Expi
0x00a0   7265 733a 2046 7269 2c20 3231 204a 756e        res:.Fri,.21.Jun
0x00b0   2032 3030 3220 3131 3a35 353a 3138 2047        .2002.11:55:18.G
0x00c0   4d54 0d0a 436f 6e6e 6563 7469 6f6e 3a20        MT..Connection:.
0x00d0   636c 6f73 650d 0a43 6f6e 7465 6e74 2d4c        close..Content-L
0x00e0   6f63 6174 696f 6e3a 2068 7474 703a 2f2f        ocation:.http://
0x00f0   616c 6c65 732e 7175 6f6b 612e 6465 2f69        alles.quoka.de/i
0x0100   6e64 6578 2e68 746d 6c0d 0a45 5461 673a        ndex.html..ETag:
0x0110   2022 3832 3263 3964 6337 3534 3663 3231        ."822c9dc7546c21
0x0120   3a31 6434 3935 220d 0a43 6f6e 7465 6e74        :1d495"..Content
0x0130   2d4c 656e 6774 683a 2030 0d0a 0d0a             -Length:.0....


Well, this is a sooo difficult to understand problem that no Apache developer
was able to handle it since 1.3.23. Unfortunately there's a security problem
so user's cannot use the working 1.3.22 anymore.

I just don't understand the ignorance and arrogance of the Apache team. It
took "little me" about 4 hours to come up with some solution and this required
code analysis from scratch. The "mighty and glory" apache team did come up
with nothing but /dev/null for months. I wonder...

Oh, "little me" has a job to do and doesn't usually have the time for
code analysis, this was just an emergency reaction due to /dev/null a.k.a.
bugzilla.

Nevertheless, for all those who are bitten by the same problem here's a
working fix. Not beautiful, not glory Apache style, possibly not portable
but at least working on Linux/IA32 which is better than hot air by the
apache team:

--- apache_1.3.26/src/modules/proxy/proxy_http.c        Tue Jun 18 02:59:59
2002+++ apache_1.3.26-fixed/src/modules/proxy/proxy_http.c  Fri Jun 21 16:00:37
2002@@ -517,7 +517,19 @@

         content_length = ap_table_get(resp_hdrs, "Content-Length");
         if (content_length != NULL) {
+#if 1
+            off_t tmp = ap_strtol(content_length, NULL, 10);
+            if (r->status == HTTP_NOT_MODIFIED && tmp == 0 && c->len
!= -1) {
+                unsigned char clen[32];
+                sprintf(clen,"%ld",c->len);
+                ap_table_unset(resp_hdrs, "Content-Length");
+                ap_table_add(resp_hdrs, "Content-Length", clen);
+            }
+            else
+               c->len = tmp;
+#else
             c->len = ap_strtol(content_length, NULL, 10);
+#endif
         }

         /* Now add out bound headers set by other modules */

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message