|Summary:||FORM authentication POST replay broken for AJP|
|Product:||Tomcat 6||Reporter:||Konstantin Kolinko <knst.kolinko>|
|Component:||Connectors||Assignee:||Tomcat Developers Mailing List <dev>|
Description Konstantin Kolinko 2012-02-05 18:10:19 UTC
Reported and discussed in the following thread on users@: "Form Authentication POST data not preserved?" http://markmail.org/message/pldgbe4jbnb46ha4 http://marc.info/?t=132830976900001&r=1&w=2 This supposedly has the same trigger as the issue reported in Comment 9 in bug 51940 , that is consuming the body of the original request before replacing it.  https://issues.apache.org/bugzilla/show_bug.cgi?id=51940#c9 In AbstractAjpProcessor$SocketInputBuffer#doRead() there is a check for "endOfStream" flag. If the flag is set the method returns immediately and does not use the bodyBytes field that was initialized to replay the body. The fix is to add the following line to "REQ_SET_BODY_REPLAY" case in AbstractAjpProcessor#action(), as confirmed on the users@ thread: endOfStream = false; In 6.0.x implementation of AjpProcessor$SocketInputBuffer and of replay action is the same, but I have not tested whether this bug can be triggered there or not.
Comment 1 Mark Thomas 2012-02-08 17:23:56 UTC
Fixed in trunk and 7.0.x and will be included in 7.0.26 onwards. Proposed for 6.0.x. I didn't test it but I can't see how it could work without this patch.
Comment 2 Mark Thomas 2012-03-20 21:52:31 UTC
Fixed in 6.0.x and will be included in 6.0.36 onwards.