tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Kientzle <kient...@acm.org>
Subject [BUG] jakarta-servlet: HttpServlet.service() can mis-handle If-Modified-Since
Date Thu, 21 Sep 2000 19:47:44 GMT
I couldn't find a bug mailing list for errors in jakarta-servlet,
so I guessed that this would be the appropriate place.

In HttpServlet.service(), the code first calls
getLastModified(), then goes through the following tests to
determine whether or not to invoke doGet().  The goal is
to skip doGet() if getLastModified returns a valid timestamp
more recent than was specified in an If-Modified-Since header:

if (lastModified == -1) {
  doGet(req, resp);
} else {
  long ifModifiedSince = req.getDateHeader(HEADER_IFMODSINCE);
  if (ifModifiedSince < (lastModified / 1000 * 1000)) {
    maybeSetLastModified(resp, lastModified);
    doGet(req, resp);
  } else {
    resp.setStatus(HttpServletResponse.SC_NOT_MODIFIED);
  }
}

The first line of this should be changed to:

   if (lastModified < 0) {

Without this change, a user's getLastModified that returns
a negative value other than -1 will prompt an SC_NOT_MODIFIED
response to requests that don't have an If-Modified-Since
header, which is clearly wrong.  Yes, getLastModified() shouldn't
ever return negative values other than -1, but servlet authors
might internally use other negative values as flags, and it's
easy to let those slip through.

				- Tim Kientzle

Mime
View raw message