Bug 65901 - HTTP 401 response for a HEAD request violates HTTP spec by including a body
Summary: HTTP 401 response for a HEAD request violates HTTP spec by including a body
Status: RESOLVED FIXED
Alias: None
Product: Tomcat Connectors
Classification: Unclassified
Component: mod_jk (show other bugs)
Version: 1.2.48
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-20 17:21 UTC by Stefan Mayr
Modified: 2023-09-04 22:07 UTC (History)
0 users



Attachments
Attempt to fix bug 65901 (1.80 KB, patch)
2022-02-20 19:29 UTC, Stefan Mayr
Details | Diff
Attempt to fix bug 65901 against 1.2.49 (1.80 KB, patch)
2022-08-24 20:43 UTC, Stefan Mayr
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Mayr 2022-02-20 17:21:03 UTC
Under a certain condition mod_jk seems to be responsible for returning a request body on a HEAD request which violates the HTTP spec.

Conditions:
- the response has a HTTP 401 status code
- an ErrorDocument is defined for a 401
- the path to this ErrorDocument makes use of an Alias directive

Example configuration:
 
Alias /error/ "/usr/share/apache2/error/"
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
JkMount /demo/* ajp13_worker

Debugging so far has shown that
- this issue does not exist for other status codes like 404 or 500
- the response body does not come from the Tomcat AJP connector 
- the issue disappears if we either comment out the Alias or ErrorDocument directive
- if we use ;use_server_errors=401 with the JkMount Apache httpd generates the correct response
- this affects mod_jk 1.2.43, 1.2.46 and 1.2.48
Comment 1 Stefan Mayr 2022-02-20 19:29:11 UTC
Created attachment 38204 [details]
Attempt to fix bug 65901

Attempt to fix that issue. I'm not sure if it is complete nor if it has any side effects.
Comment 2 Stefan Mayr 2022-08-24 19:49:48 UTC
This week we found this issue is also present for other status codes like 403, 404, 405 etc.

Test wird custom JSPs like
<% response.sendError(401, "Authenticate"); %>
Comment 3 Stefan Mayr 2022-08-24 20:43:27 UTC
Created attachment 38376 [details]
Attempt to fix bug 65901 against 1.2.49
Comment 4 Stefan Mayr 2022-08-24 21:18:03 UTC
Github pull request was also updated: https://github.com/apache/tomcat-connectors/pull/5
Comment 5 Stefan Mayr 2022-10-03 18:42:59 UTC
Did anyone have a chance to look into that issue?
Comment 6 Stefan Mayr 2023-03-06 13:24:33 UTC
After this ticket has celebrated its first birthday. Can anyone have a look into this issue? Looking at the commit history maybe Rainer Jung or Mark Thomas

Thank you
Comment 7 Mark Thomas 2023-09-04 22:07:00 UTC
For the record, the use of an Alias was not required to reproduce this issue.

The root cause was mod_jk directing httpd to generate a response body for error responses that did not include a body. Responses to HEAD requests were not excluded from this functionality but they should have been.

This has been fixed in main for 1.2.49 onwards.