Code

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#12544 closed (fixed)

Bogus If-Modified-Since header causes 500 in django.views.static.serve

Reported by: akaihola Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords: static
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: UI/UX:

Description

Every now and then I get requests with a bogus If-Modified-Since header like

If-Modified-Since: Fri, 34 Feb 3118 24:34:19 GMT

These cause a server error.

Since invalid dates are most certainly only used by malicious clients, it would probably be safe to respond with a "not modified" HTTP response.

Attachments (2)

12544-handle-bogus-if-modified-since-r12117.diff (2.6 KB) - added by akaihola 4 years ago.
Fix and tests: handle bogus If-Modified-Since headers gracefully
12544-handle-bogus-if-modified-since-r12117.2.diff (2.5 KB) - added by akaihola 4 years ago.
Fixed to comply with RFC 2616 section 14.25

Download all attachments as: .zip

Change History (9)

Changed 4 years ago by akaihola

Fix and tests: handle bogus If-Modified-Since headers gracefully

comment:1 Changed 4 years ago by akaihola

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

The patch fixes the server error by responding with "not modified" to requests with a bogus If-Modified-Since value. It also adds test cases for If-Modified-Since values

  • which are earlier than the mtime of the file
  • which are later than the mtime of the file
  • which are invalid

comment:2 Changed 4 years ago by akaihola

On a second thought, I haven't checked what RFCs say about handling bogus timestamps, and maybe it would be wiser to respond with "has been modified" just in case there are legitimate broken clients out there. Thoughts?

comment:3 Changed 4 years ago by akaihola

Checked the RFC:

      a) If the request would normally result in anything other than a
         200 (OK) status, or if the passed If-Modified-Since date is
         invalid, the response is exactly the same as for a normal GET.
         A date which is later than the server's current time is
         invalid.

Fixed patch upcoming...

Changed 4 years ago by akaihola

Fixed to comply with RFC 2616 section 14.25

comment:4 Changed 4 years ago by russellm

  • Triage Stage changed from Unreviewed to Accepted

comment:5 Changed 4 years ago by jezdez

  • Patch needs improvement set

The patch doesn't work for me, e.g. mktime_tz doesn't raise an OverflowError for me.

comment:6 Changed 4 years ago by jezdez

  • Resolution set to fixed
  • Status changed from new to closed

(In [13870]) Fixed #12544 and #13600 -- Fixed static files serving view to catch invalid date from If-Modified-Since header. Thanks akaihola and SmileyChris for patches.

comment:7 Changed 4 years ago by jezdez

(In [13871]) Fixed #12544 and #13600 -- Fixed static files serving view to catch invalid date from If-Modified-Since header. Thanks akaihola and SmileyChris for patches.

Backport from trunk (r13870).

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.