Bug 52606 - FORM authentication POST replay broken for AJP
Summary: FORM authentication POST replay broken for AJP
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 6.0.35
Hardware: PC Windows XP
: P2 regression (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-05 18:10 UTC by Konstantin Kolinko
Modified: 2012-03-20 21:52 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2012-02-05 18:10:19 UTC
Reported and discussed in the following thread on users@:
"Form Authentication POST data not preserved?"
http://markmail.org/message/pldgbe4jbnb46ha4
http://marc.info/?t=132830976900001&r=1&w=2

This supposedly has the same trigger as the issue reported in Comment 9 in bug 51940 [3], that is consuming the body of the original request before replacing it.

[3] https://issues.apache.org/bugzilla/show_bug.cgi?id=51940#c9

In AbstractAjpProcessor$SocketInputBuffer#doRead() there is a check for "endOfStream" flag. If the flag is set the method returns immediately and does not use the bodyBytes field that was initialized to replay the body.

The fix is to add the following line to "REQ_SET_BODY_REPLAY" case in
AbstractAjpProcessor#action(), as confirmed on the users@ thread:

  endOfStream = false;


In 6.0.x implementation of AjpProcessor$SocketInputBuffer and of replay action is the same, but I have not tested whether this bug can be triggered there or not.
Comment 1 Mark Thomas 2012-02-08 17:23:56 UTC
Fixed in trunk and 7.0.x and will be included in 7.0.26 onwards.

Proposed for 6.0.x. I didn't test it but I can't see how it could work without this patch.
Comment 2 Mark Thomas 2012-03-20 21:52:31 UTC
Fixed in 6.0.x and will be included in 6.0.36 onwards.