Bug 63312 - Unable to set status code on response after the status code was set to >= 400
Summary: Unable to set status code on response after the status code was set to >= 400
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.39
Hardware: PC All
: P1 regression (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-03 11:21 UTC by petrowski.patryk
Modified: 2019-04-07 21:48 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description petrowski.patryk 2019-04-03 11:21:25 UTC
The bug https://bz.apache.org/bugzilla/show_bug.cgi?id=62471 has been reintroduced in Tomcat 8.5.39. After setting a response status to >= 400 it's impossible to set status code again. It appears that the fix for 9.x from commit 2b239e1ea0f3f8b5cdf01062a106ade9465756ec was not applied to 8.5.x and the regression was released in 8.5.39.
Comment 1 Greg Senia 2019-04-03 18:47:10 UTC
I assume I am hitting the same problem with Tomcat 8.5.39. This doesn't happen in 8.5.38 or 9.0.16/17. But happens in 8.5.39

8.5.38/9.0.16/17 - Working:
Host: ms.senia.org:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Origin: http://ms.senia.org:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Referer: http://ms.senia.org:8080/login
Content-Length: 35
Cookie: _ga=GA1.2.1325695642.1548688812; __cfduid=da3e73689d4a06bf901836c2dadce38751531340071

username=gsadmin&password=sdfsdfsdfHTTP/1.1 302 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: SAMEORIGIN
Location: /login?error=true
Content-Length: 0
Date: Wed, 03 Apr 2019 18:17:12 GMT

GET /login?error=true HTTP/1.1
Host: ms.senia.org:8080
Origin: http://ms.senia.org:8080
Cookie: _ga=GA1.2.1325695642.1548688812; __cfduid=da3e73689d4a06bf901836c2dadce38751531340071
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15
Referer: http://ms.senia.org:8080/login
Accept-Encoding: gzip, deflate
Accept-Language: en-us

8.5.39 - Failed on Redirect just a 401 or on safari a login.dms download..

POST /login HTTP/1.1
Host: ms.senia.org:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Origin: http://ms.senia.org:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Referer: http://ms.senia.org:8080/login
Content-Length: 35
Cookie: _ga=GA1.2.1325695642.1548688812; __cfduid=da3e73689d4a06bf901836c2dadce38751531340071

username=gsadamin&password=sdfsdfsfHTTP/1.1 401 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: SAMEORIGIN
Location: /login?error=true
Content-Length: 0
Date: Wed, 03 Apr 2019 18:13:25 GMT
Comment 2 petrowski.patryk 2019-04-04 08:04:30 UTC
(In reply to Greg Senia from comment #1)

Hey Greg,

As 8.5.39 is the only 8.5.x version that was released with the regression I'd say the probability that you're affected is very high.

Cheers,
Patryk
> I assume I am hitting the same problem with Tomcat 8.5.39. This doesn't
> happen in 8.5.38 or 9.0.16/17. But happens in 8.5.39
> 
> 8.5.38/9.0.16/17 - Working:
> Host: ms.senia.org:8080
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Encoding: gzip, deflate
> Accept-Language: en-us
> Content-Type: application/x-www-form-urlencoded
> Origin: http://ms.senia.org:8080
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4)
> AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15
> Connection: keep-alive
> Upgrade-Insecure-Requests: 1
> Referer: http://ms.senia.org:8080/login
> Content-Length: 35
> Cookie: _ga=GA1.2.1325695642.1548688812;
> __cfduid=da3e73689d4a06bf901836c2dadce38751531340071
> 
> username=gsadmin&password=sdfsdfsdfHTTP/1.1 302 
> X-Content-Type-Options: nosniff
> X-XSS-Protection: 1; mode=block
> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> Pragma: no-cache
> Expires: 0
> X-Frame-Options: SAMEORIGIN
> Location: /login?error=true
> Content-Length: 0
> Date: Wed, 03 Apr 2019 18:17:12 GMT
> 
> GET /login?error=true HTTP/1.1
> Host: ms.senia.org:8080
> Origin: http://ms.senia.org:8080
> Cookie: _ga=GA1.2.1325695642.1548688812;
> __cfduid=da3e73689d4a06bf901836c2dadce38751531340071
> Connection: keep-alive
> Upgrade-Insecure-Requests: 1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4)
> AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15
> Referer: http://ms.senia.org:8080/login
> Accept-Encoding: gzip, deflate
> Accept-Language: en-us
> 
> 8.5.39 - Failed on Redirect just a 401 or on safari a login.dms download..
> 
> POST /login HTTP/1.1
> Host: ms.senia.org:8080
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Encoding: gzip, deflate
> Accept-Language: en-us
> Content-Type: application/x-www-form-urlencoded
> Origin: http://ms.senia.org:8080
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4)
> AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15
> Connection: keep-alive
> Upgrade-Insecure-Requests: 1
> Referer: http://ms.senia.org:8080/login
> Content-Length: 35
> Cookie: _ga=GA1.2.1325695642.1548688812;
> __cfduid=da3e73689d4a06bf901836c2dadce38751531340071
> 
> username=gsadamin&password=sdfsdfsfHTTP/1.1 401 
> X-Content-Type-Options: nosniff
> X-XSS-Protection: 1; mode=block
> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> Pragma: no-cache
> Expires: 0
> X-Frame-Options: SAMEORIGIN
> Location: /login?error=true
> Content-Length: 0
> Date: Wed, 03 Apr 2019 18:13:25 GMT
Comment 3 Mark Thomas 2019-04-07 21:48:35 UTC
Fixed in:
- 8.5.x for 8.5.40 onwards

Thanks for the report and for tracking down the missing back-port.