Bug 39402 - enabling gzip negotiation overwrites existing "vary:" headers
Summary: enabling gzip negotiation overwrites existing "vary:" headers
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Connector:Coyote (show other bugs)
Version: 5.5.0
Hardware: All All
: P2 normal with 1 vote (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2006-04-25 16:05 UTC by Matthew Cooke
Modified: 2006-12-25 06:41 UTC (History)
0 users

A patch that fixes the overwriting vary header bug (1.41 KB, patch)
2006-06-07 17:19 UTC, Matthew Cooke
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Cooke 2006-04-25 16:05:44 UTC
If you have a site that uses "vary:" headers such as "vary: cookie" to
distinguish between the cacheability of pages for cookied and non-cookied users
this header will get overwritten if you enable gzip negotiation in tomcats
server.xml config.

If gzip negotiation is enabled it should modify the vary header *not* overwrite it.

This is quite bad as enabling gzip in the config can currently cause incorrect
files to get cached in browsers/proxies. By the time a developer realises that
the gzip functionality is broken in this way, various caches will hold the wrong
content possibly for long periods of time even once gzip is turned off again.

I suggest putting a warning in the server.xml against using gzip negotiation if
you are already using vary headers until this bug gets fixed.
Comment 1 Matthew Cooke 2006-06-07 17:19:32 UTC
Created attachment 18424 [details]
A patch that fixes the overwriting vary header bug

This change checks for existing Vary headers and will add to any existing
values in the Vary header. If there is no existing Vary header then it will add
a new one as before.
Comment 2 Yoav Shapira 2006-12-25 04:57:34 UTC
Good catch: thanks for reporting this.
Comment 3 Matthew Cooke 2006-12-25 06:41:16 UTC
(In reply to comment #2)
> Good catch: thanks for reporting this.

Ohh it was a nice xmas present that someone picked this up :)

Please note that the patch only patched

The other HttpProcessor.java needs fixing too. I'm not sure what the difference
is between these files but they both have the same Vary bug.