|Summary:||Does not return HTTP 406 for restricted client Accept headers|
|Product:||Apache httpd-1.3||Reporter:||FreqOut <freqout>|
|Component:||Other mods||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description FreqOut 2003-03-12 22:32:27 UTC
There is a bug in the mod_negotiation module of Apache httpd where it is incorrectly returning HTTP status 200 and content when receiving a browser client request that contains restricted Accept headers, when the correct web server response should be a HTTP status 406. For example using the HTTP client request header of GET /images/asf_logo_wide.gif HTTP/1.1 User-Agent: Mozilla/4.0 [en] () Accept: text/* Connection: keep-alive Host: www.apache.org (note www.apache.org is a 2.x based server, but this defect does apply to 1.3.27 and other 1.3.x versions) The httpd web server should return a HTTP STATUS 406 because the .gif is associated with image/gif and does not match the HTTP client's Accept criteria. Instead, Apache httpd currently responds with a HTTP STATUS 200 with the gif file's binary content. Associated references: HTTP 1.1, rfc2616 Section 14 http://www.ietf.org/rfc/rfc2616.txt http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html and Apache negotiation algorithm in http://httpd.apache.org/docs/content-negotiation.html
Comment 2 André Malo 2003-03-12 23:11:28 UTC
You're requesting a non-negotiated resource. Therefore negotiation rules don't apply. Thanks for your care anyway and thanks for using Apache.
Comment 3 FreqOut 2003-03-13 16:00:04 UTC
Andre, I'm afraid you'll have to go into more detail concerning non-negotiated resource. There is no mention of non-negotiated resources in either RFC 2616 or the Apache content negotiation documentation. If you could point me towards documentation, or show me an example where Apache correctly returns the 406, that would be really helpful. I would also like to point out the Apache negotiation documentation concerning this issue. -------------------------< SNIP >------------------------------------------- Apache Negotiation Algorithm Apache can use the following algorithm to select the 'best' variant (if any) to return to the browser. This algorithm is not further configurable. It operates as follows: First, for each dimension of the negotiation, check the appropriate Accept* header field and assign a quality to each variant. If the Accept* header for any dimension implies that this variant is not acceptable, eliminate it. If no variants remain, go to step 4. Select the 'best' variant by a process of elimination. Each of the following tests is applied in order. Any variants not selected at each test are eliminated. After each test, if only one variant remains, select it as the best match and proceed to step 3. If more than one variant remains, move on to the next test. Multiply the quality factor from the Accept header with the quality-of-source factor for this variant's media type, and select the variants with the highest value. Select the variants with the highest language quality factor. Select the variants with the best language match, using either the order of languages in the Accept-Language header (if present), or else the order of languages in the LanguagePriority directive (if present). Select the variants with the highest 'level' media parameter (used to give the version of text/html media types). Select variants with the best charset media parameters, as given on the Accept- Charset header line. Charset ISO-8859-1 is acceptable unless explicitly excluded. Variants with a text/* media type but not explicitly associated with a particular charset are assumed to be in ISO-8859-1. Select those variants which have associated charset media parameters that are not ISO-8859-1. If there are no such variants, select all variants instead. Select the variants with the best encoding. If there are variants with an encoding that is acceptable to the user-agent, select only these variants. Otherwise if there is a mix of encoded and non-encoded variants, select only the unencoded variants. If either all variants are encoded or all variants are not encoded, select all variants. Select the variants with the smallest content length. Select the first variant of those remaining. This will be either the first listed in the type-map file, or when variants are read from the directory, the one whose file name comes first when sorted using ASCII code order. The algorithm has now selected one 'best' variant, so return it as the response. The HTTP response header Vary is set to indicate the dimensions of negotiation (browsers and caches can use this information when caching the resource). End. To get here means no variant was selected (because none are acceptable to the browser). Return a 406 status (meaning "No acceptable representation") with a response body consisting of an HTML document listing the available variants. Also set the HTTP Vary header to indicate the dimensions of variance. -------------------------< SNIP >------------------------------------------- Following the negotiation algorithm above (and I must say kudos to Apache for providing this document) you do step 1, in which you discover that there is no maching Accept type, and must go to step 4, which states that a 406 should be returned.
Comment 4 André Malo 2003-03-13 16:27:04 UTC
I know the docs ;-) But it's a simple answer: mod_negotiation is not involved in the request. Multiviews apply, if and only if the requested resource does not map exactly to a file (or directory), i.e. if the server would return a 404 otherwise (also described in the docs somewhere) type maps apply if the requested (existing) file is handled by the type-map handler. So if you're explicitely requesting an existing resource, which isn't magically negotiated (type-maps), mod_negotiation feels not responsible for the request. No bug. This is, by the way, the only way it can work. Consider, for example, the following situation: - request with Accept: something -> response 406 with a list of available variants. -> user explicitely selects one variant but _doesn't_ change his Accept-Header -> response 406? no. ignore Accept-Header, because it is an explicitely requested resource which has no alternative variants.
Comment 5 FreqOut 2003-03-13 18:27:39 UTC
Thank you for your quick response André. Ongoing, I'll just update this bug rather than have us go back and forth with the same stuff on both bugs. 17937 references this bug, and that is enough. Your premise is that negotiation will not be invoked if there exists only one resource for the requested file, and that the correct thing would be to return the requested file, disregarding the client's Accept headers. It would help me to accept this, if you could show some public documentation that would back this type of response. I have done my best to comb through relevant documentation, and to do searches for non-negotiation criteria. I'm going to take some time to research this some more, while also discussing it with others. I'm afraid that I'm still not convinced that Apache httpd is exhibiting the correct behavior. Although, I will submit that I have seen both behaviors in other web servers. IIS does return a HTTP 406, and I admit that that does not make it "correct". Apache Tomcat (coyote) does the same as Apache httpd, but coming from the same group that is not a surprise. However, when this is compounded by SUN's Enterprise web server also not returning a HTTP 406, I must then be able to supply further evidence that would support returning HTTP 406 in this case.
Comment 6 FreqOut 2003-03-14 16:47:11 UTC
Ok André, I made your case for you. According to rfc2616 -----------------------------< snip >-------------------------------------- 10.4.7 406 Not Acceptable The resource identified by the request is only capable of generating response entities which have content characteristics not acceptable according to the accept headers sent in the request. Unless it was a HEAD request, the response SHOULD include an entity containing a list of available entity characteristics and location(s) from which the user or user agent can choose the one most appropriate. The entity format is specified by the media type given in the Content-Type header field. Depending upon the format and the capabilities of the user agent, selection of the most appropriate choice MAY be performed automatically. However, this specification does not define any standard for such automatic selection. Note: HTTP/1.1 servers are allowed to return responses which are not acceptable according to the accept headers sent in the request. In some cases, this may even be preferable to sending a 406 response. User agents are encouraged to inspect the headers of an incoming response to determine if it is acceptable. If the response could be unacceptable, a user agent SHOULD temporarily stop receipt of more data and query the user for a decision on further actions. -----------------------------< snip >-------------------------------------- The important part there is the "Note:", where it does specify that a server is allowed to return the resource even though it does not match the Accept header, and thus it is left up to the client to reject the resource based on the returned headers which hopefully will send the correct content type. I still think this is an unfortunate flaw in the specification, but I agree that is cannot be considered a Apache httpd flaw, only an implementation choice.
Comment 7 André Malo 2003-03-19 09:27:30 UTC
Thanks for your update. I think we can safely close that bug now :)