Bug 66591 - HttpResponse without any header generates corrupted AJP messages
Summary: HttpResponse without any header generates corrupted AJP messages
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 9.0.74
Hardware: All Linux
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2023-05-03 06:26 UTC by Conny Seifert
Modified: 2023-05-03 16:46 UTC (History)
0 users

minimal testcase (4.33 KB, application/octet-stream)
2023-05-03 11:49 UTC, Conny Seifert

Note You need to log in before you can comment on or make changes to this bug.
Description Conny Seifert 2023-05-03 06:26:40 UTC
Fix for bug 66512 caused an issue in one of our applications, which does not set any response header at all. At a first glance no RFC defines that one MUST set some http header. But we definitely "should". 

So this "Bug" is only to bring this to your attention. At least there should be an appropriate error message instead of generating corrupted AJP messages.

KR Conny
Comment 1 Mark Thomas 2023-05-03 09:13:05 UTC
Thanks for the report.

My reading of RFC 9110 (section 3.4) is that responses do not require headers. I am a little curious how the fix for bug 66512 triggered this but it does look like a bug.

I'm working on this now.
Comment 2 Mark Thomas 2023-05-03 11:04:12 UTC
I've tried to recreate this locally but am unable to. Specifically, I have not been able to write a Servlet that causes Tomcat to send an AJP response with no headers.

Please provide the simplest test case that recreates this issue from a clean install of the latest release of any supported version of Tomcat (8.5.x, 9.0.x, 10.1.x or 11.0.x as I write this).
Comment 3 Conny Seifert 2023-05-03 11:14:29 UTC
If I understood the code correctly, the "header-loop" beginning in line 950 is not entered at all in case of 0 headers. So no https status code is appended to AJP response and also the number of headers is missing then.

Comment 4 Conny Seifert 2023-05-03 11:49:22 UTC
Created attachment 38551 [details]
minimal testcase

attached app returns string "test" without any headers.
In case of failure output looks like this
00000000: 0065 7374  .est
At least when using apache http with mod_proxy_ajp
Comment 5 Mark Thomas 2023-05-03 14:31:37 UTC
Thanks - I can recreate it now. I have a test case and the fix looks simple. Just need to run a few more tests.
Comment 6 Mark Thomas 2023-05-03 16:46:15 UTC
Fixed in:
- 11.0.x for 11.0.0-M6 onwards
- 10.1.x for 10.1.9 onwards
-  9.0.x for  9.0.75 onwards
-  8.5.x for  8.5.89 onwards