Bug 49825

Summary: mod_dav PUT treats malformed Content-Range as if it were absent
Product: Apache httpd-2 Reporter: Wim Lewis <wiml>
Component: mod_davAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal Keywords: FixedInTrunk, RFC
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Wim Lewis 2010-08-25 21:10:59 UTC 
reference: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?revision= 982016&view=markup

In dav_parse_range(), called by dav_method_put(), a failure to parse the Content-Range request-header is treated the same as if the header were absent. I think this is wrong for several reasons:

1, Apache's current behavior is pretty much guaranteed to not be the behavior the client needs or expects; if I'm attempting to patch the middle of a file, I don't want the server to replace the entire file with the patch and then report success.

2, although comments in mod_dav.c indicate that the behavior is motivated by RFC2616 [14.16], the relevant paragraph says: "The recipient of an invalid byte-content-range-spec MUST ignore it and any content transferred along with it." In other words, the server is required *not to use* the request entity-body if it is accompanied by an unparsable Content-Range header.

I think that both RFC2616 and common sense indicate that if dav_parse_range() cannot parse a Content-Range header, Apache should reject the entire request (presumably with an HTTP 400 error code).
Comment 1 Wim Lewis 2010-08-25 21:16:26 UTC 
(Possibly related: bug 42978)
Comment 2 Stefan Fritsch 2010-10-24 05:05:35 UTC 
Fixed in trunk in r1026743
Comment 3 Ruediger Pluem 2011-02-08 06:44:32 UTC 
Backported to 2.2.x as r1068309.