Bug#844351: apache2: as a reverse proxy, a 100 continue response is sent prematurely when request contains expects continue

Mon, 14 Nov 2016 09:18:44 -0800 

Package: apache2
Version: 2.4.10-10+deb8u7
Severity: important
Tags: upstream

Dear Maintainer,

  * What led up to the situation?

a backend with correct 100 continue support and a web client which expects 
100-continue

  * What exactly did you do (or not do) that was effective (or
    ineffective)?

Reverse Proxy a backend.

  * What was the outcome of this action?

Premature 100-continue response from apache, before backend responds.

  * What outcome did you expect instead?

No 100-continue unless backend responds with 100-continue


https://bz.apache.org/bugzilla/show_bug.cgi?id=60330

As a reverse proxy, a 100 continue response is sent prematurely when a request 
contains expects: 100-continue. This causes the requesting client to send a 
body. The apache httpd proxy will then read the body and attempt to send it to 
the backend, but the backend already sent an error and should be allowed to NOT 
read the remaining request body, which never should have existed. When the 
backend does not read the request body mod_proxy_http errors and returns a 500 
error to the client. The client never receives the correct error message.



-- Package-specific info:

-- System Information:
Debian Release: 8.6
 APT prefers stable
 APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.0-45-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.10-10+deb8u7
ii  apache2-data   2.4.10-10+deb8u7
ii  apache2-utils  2.4.10-10+deb8u7
ii  dpkg           1.17.27
ii  lsb-base       4.1+Debian13+nmu1
ii  mime-support   3.58
ii  perl           5.20.2-3+deb8u6
ii  procps         2:3.3.9-9

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.35

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2-bin depends on:
ii  libapr1                  1.5.1-3
ii  libaprutil1              1.5.4-1
ii  libaprutil1-dbd-sqlite3  1.5.4-1
ii  libaprutil1-ldap         1.5.4-1
ii  libc6                    2.19-18+deb8u6
ii  libldap-2.4-2            2.4.40+dfsg-1+deb8u2
ii  liblua5.1-0              5.1.5-7.1
ii  libpcre3                 2:8.35-3.3+deb8u4
ii  libssl1.0.0              1.0.1t-1+deb8u3
ii  libxml2                  2.9.1+dfsg1-5+deb8u3
ii  perl                     5.20.2-3+deb8u6
ii  zlib1g                   1:1.2.8.dfsg-2+b1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
pn  www-browser                                      <none>

Versions of packages apache2 is related to:
ii  apache2      2.4.10-10+deb8u7
ii  apache2-bin  2.4.10-10+deb8u7

-- no debconf information

Reply via email to