Open markblackman opened 8 years ago
dhawes
commented
8 years ago Are there any logs that indicate that the bytes are read all at one time, perhaps in another log entry? I've tried to duplicate this, but have so far had no luck.
I'll definitely have to review Apache input filters before I can fully address what's going on here.
Do you have any reference documentation for this behavior or examples of other modules that handle this correctly?
markblackman
commented
8 years ago On 29 Dec 2015, at 17:22, David Hawes notifications@github.com wrote:
Are there any logs that indicate that the bytes are read all at one time, perhaps in another log entry? I've tried to duplicate this, but have so far had no luck.
I'll definitely have to review Apache input filters before I can fully address what's going on here.
Do you have any reference documentation for this behavior or examples of other modules that handle this correctly
Just this link..
http://docstore.mik.ua/orelly/weblinux2/apache/ch20_09.htm ( See input filters )
We have developed a fix along these lines, i.e. a data structure that persisted for the duration of a request, and proved that it addressed our bug. It’s not a very big change to address it, but our change can’t be released for the usual corporate IP reasons. Possibly, there’s something special about our environment that provokes these split requests, but split requests are meant to be considered a common case for filters as I understand it.
I’m pretty sure that ‘httpd’ is getting the whole request at once, but that the filter processing is resulting in partial bodies being presented to the input filters. Eric Covener suggested "it's something like another module peeking to see if data is ready in the connection. The 1 byte it reads is consumed and set aside, but weaved back in to the next real read."
dhawes
commented
8 years ago Thanks for the link. I'll research the fix and post back here.
Patches always welcome if those polices can be worked around.
Apache input filters are not guaranteed to be called with a complete request but instead should assume the request may be fed in piece-meal, in multiple calls. However, the CAS input filter for single signout (cas_in_filter) logic presumes that the first call will have a complete request as it just examines the current bucket brigade, possibly incomplete, for evidence of SAML signout request, calling the CAS signout if found.
We have seen cases where the single sign-out request is split into two pieces.
https://mail-archives.apache.org/mod_mbox/httpd-users/201510.mbox/%3C39A0AA41C90BDA42BEB03EF9F45DC3F80A058AD2@UCDEDC1PWXMR003.de.db.com%3E
The fix involves a request-scope persistent data structure to build up a copy of the request suitable across multiple calls for passing to CASSAMLLogout