Opened 14 years ago

Closed 13 years ago

Last modified 13 years ago

#12544 closed (fixed)

Bogus If-Modified-Since header causes 500 in django.views.static.serve

Reported by: Antti Kaihola Owned by: nobody
Component: HTTP handling Version: dev
Severity: Keywords: static
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

Every now and then I get requests with a bogus If-Modified-Since header like

If-Modified-Since: Fri, 34 Feb 3118 24:34:19 GMT

These cause a server error.

Since invalid dates are most certainly only used by malicious clients, it would probably be safe to respond with a "not modified" HTTP response.

Attachments (2)

12544-handle-bogus-if-modified-since-r12117.diff (2.6 KB ) - added by Antti Kaihola 14 years ago.
Fix and tests: handle bogus If-Modified-Since headers gracefully
12544-handle-bogus-if-modified-since-r12117.2.diff (2.5 KB ) - added by Antti Kaihola 14 years ago.
Fixed to comply with RFC 2616 section 14.25

Download all attachments as: .zip

Change History (9)

by Antti Kaihola, 14 years ago

Fix and tests: handle bogus If-Modified-Since headers gracefully

comment:1 by Antti Kaihola, 14 years ago

Has patch: set

The patch fixes the server error by responding with "not modified" to requests with a bogus If-Modified-Since value. It also adds test cases for If-Modified-Since values

  • which are earlier than the mtime of the file
  • which are later than the mtime of the file
  • which are invalid

comment:2 by Antti Kaihola, 14 years ago

On a second thought, I haven't checked what RFCs say about handling bogus timestamps, and maybe it would be wiser to respond with "has been modified" just in case there are legitimate broken clients out there. Thoughts?

comment:3 by Antti Kaihola, 14 years ago

Checked the RFC:

      a) If the request would normally result in anything other than a
         200 (OK) status, or if the passed If-Modified-Since date is
         invalid, the response is exactly the same as for a normal GET.
         A date which is later than the server's current time is
         invalid.

Fixed patch upcoming...

by Antti Kaihola, 14 years ago

Fixed to comply with RFC 2616 section 14.25

comment:4 by Russell Keith-Magee, 14 years ago

Triage Stage: UnreviewedAccepted

comment:5 by Jannis Leidel, 13 years ago

Patch needs improvement: set

The patch doesn't work for me, e.g. mktime_tz doesn't raise an OverflowError for me.

comment:6 by Jannis Leidel, 13 years ago

Resolution: fixed
Status: newclosed

(In [13870]) Fixed #12544 and #13600 -- Fixed static files serving view to catch invalid date from If-Modified-Since header. Thanks akaihola and SmileyChris for patches.

comment:7 by Jannis Leidel, 13 years ago

(In [13871]) Fixed #12544 and #13600 -- Fixed static files serving view to catch invalid date from If-Modified-Since header. Thanks akaihola and SmileyChris for patches.

Backport from trunk (r13870).

Note: See TracTickets for help on using tickets.
Back to Top