Summary: | HTTP Connector incorrectly throws Exception on Invalid If-Modified-Since Header | ||
---|---|---|---|
Product: | Tomcat 6 | Reporter: | George Sexton <gsexton> |
Component: | Connectors | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 6.0.35 | ||
Target Milestone: | default | ||
Hardware: | PC | ||
OS: | Linux |
Description
George Sexton
2012-11-01 16:10:42 UTC
There is a grey(ish) area here. SRV.3.4 states "If the getDateHeader method cannot translate the header to a Date object, an IllegalArgumentException is thrown" RFC2616-3.3.1 states "Recipients of date values are encouraged to be robust in accepting date values". I take 'robust' in this case to mean tolerant rather than strict. It could be read as either. RFC2616-14.25.a as already quoted Together, these suggest that Tomcat should try and parse the header regardless of the format and if it can't parse it ignore it if the header is an "If-Modified-Since" header. When processing the If-Modified-Since header in the DefaultServlet, Tomcat does follow RFC2616-14.25.a and effectively ignores the header. The Javadoc for getDateHeader() states that "returns ... -1 if the named header was not included with the request". That is the only circumstance in which -1 is a permitted return value so if the header is present but in the wrong format Tomcat's only options are a) throw an IAE, b) parse it anyway. The problem with b) is that Tomcat would have to guess what the invalid format was. That is easier said than done. Therefore, all Tomcat can realistically do here is throw IAE. That, therefore, passes responsibility for adhering to RFC2616-14.25.a to whatever code is calling getDateHeader(). In this case the application; making it an application issue not a Tomcat one. (In reply to comment #1) > > When processing the If-Modified-Since header in the DefaultServlet, Tomcat > does follow RFC2616-14.25.a and effectively ignores the header. > I am REOPENing this. The DefaultServlet is OK and has the necessary try/catches around getDateHeader() calls. The problem is in javax.servlet.http.HttpServlet#service() where a try/catch is missing. I see two options: a) ignore the invalid header, like it is done by DefaultServlet, b) silently fail with error 400. Failing with error 500 isn't good. Thanks for catching that. I should have read the stack trace more carefully. Fixed in trunk and 7.0.x and will be included in 7.0.33 onwards. |