Bug#451563: apache2.2-common: HTTP PUT with mod_dav fails to detect an aborted connection

Package: apache2.2-common
Version: 2.2.3-4+etch1
Severity: normal

Apache treats an aborted HTTP PUT as if it completed successfully, logs the PUT as having completed successfully and leaves the incomplete file on the disk. It does so even though the transmitted content is much shorter than the advertised content length.

Replicate with:

httpd.conf:

LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so
LoadModule dav_fs_module /usr/lib/apache2/modules/mod_dav_fs.so
LoadModule dav_lock_module /usr/lib/apache2/modules/mod_dav_lock.so

# mkdir /var/www/dav
# chown www-data /var/www/dav
# curl -T bigfile 
http://localhost/dav/bigfile

partial upload at /var/www/dav/bigfile remains on the disk.

access_log shows success status 201:
127.0.0.1 - - [16/Nov/2007:17:31:32 -0500] "PUT /dav/bigfile HTTP/1.1" 201 322 "-" "curl/7.15.5 (i486-pc-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8c zlib/1.2.3 libidn/0.6.5"

excerpts from tcpdump:

PUT /dav/bigfile HTTP/1.1
User-Agent: curl/7.15.5 (i486-pc-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8c zlib/1.2.3 libidn/0.6.5 Host: minoc.dirtside.com
Accept: */*
Content-Length: 723795856
Expect: 100-continue

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

HTTP/1.1 100 Continue

[uploaded data until ^C]

  Note: FIN packet from source due to program abort 17:31:32.166989 IP (tos 0x0, ttl 64, id 58671, offset 0, flags [DF], proto: TCP (6), length: 16436) 127.0.0.1.57636 > 127.0.0.1.80: FP 4587737:4604121(16384) ack 26 win 8192 <nop,nop,timestamp 96632442 96632442>

  Note: Apache responds with success message anyway 17:31:32.170708 IP (tos 0x0, ttl 64, id 31673, offset 0, flags [DF], proto: TCP (6), length: 629) 127.0.0.1.80 > 127.0.0.1.57636: P, cksum 0xca8d (correct), 26:603(577) ack 4604122 win 32768 <nop,nop,timestamp 96632443 96632442>
E..u{.@.@.N.F..RF..R.P.$f ..e.............. ..~{..~zHTTP/1.1 201 Created
Date: Fri, 16 Nov 2007 22:31:32 GMT
Server: Apache/2.2.3 (Debian) DAV/2 mod_fastcgi/2.4.2 mod_ssl/2.2.3 OpenSSL/0.9.8c Location: http://minoc.dirtside.com/dav/bigfile Content-Length: 322
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>201 Created</title>
</head><body>
<h1>Created</h1>
<p>Resource /dav/bigfile has been created.</p>
<hr />
<address>Apache/2.2.3 (Debian) DAV/2 mod_fastcgi/2.4.2 mod_ssl/2.2.3
OpenSSL/0.9.8c Server at minoc.dirtside.com Port 80</address>
</body></html>

  Note: RST packet from source since the connection is no longer there. 17:31:32.170763 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) 127.0.0.1.57636 > 127.0.0.1.80: R, cksum 0x1f77 (correct), 1707072287:1707072287(0) win 0

• System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16.56-dualp2 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages apache2.2-common depends on:

ii  apache2-utils              2.2.3-4+etch1 utility programs for webservers
ii  libmagic1                  4.17-5etch3   File type determination library us
ii  lsb-base                   3.1-23.2etch1 Linux Standard Base 3.1 init scrip
ii  mime-support               3.39-1        MIME files 'mime.types' & 'mailcap
ii  net-tools                  1.60-17       The NET-3 networking toolkit
ii  procps                     1:3.2.7-3     /proc file system utilities

apache2.2-common recommends no packages.

• no debconf information

-- 
To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek