Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#12544 closed (fixed)

Bogus If-Modified-Since header causes 500 in django.views.static.serve

Reported by: Antti Kaihola Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords: static
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: UI/UX:

Description

Every now and then I get requests with a bogus If-Modified-Since header like

If-Modified-Since: Fri, 34 Feb 3118 24:34:19 GMT

These cause a server error.

Since invalid dates are most certainly only used by malicious clients, it would probably be safe to respond with a "not modified" HTTP response.

Attachments (2)

12544-handle-bogus-if-modified-since-r12117.diff (2.6 KB) - added by Antti Kaihola 7 years ago.
Fix and tests: handle bogus If-Modified-Since headers gracefully
12544-handle-bogus-if-modified-since-r12117.2.diff (2.5 KB) - added by Antti Kaihola 7 years ago.
Fixed to comply with RFC 2616 section 14.25

Download all attachments as: .zip

Change History (9)

Changed 7 years ago by Antti Kaihola

Fix and tests: handle bogus If-Modified-Since headers gracefully

comment:1 Changed 7 years ago by Antti Kaihola

Has patch: set
Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset

The patch fixes the server error by responding with "not modified" to requests with a bogus If-Modified-Since value. It also adds test cases for If-Modified-Since values

  • which are earlier than the mtime of the file
  • which are later than the mtime of the file
  • which are invalid

comment:2 Changed 7 years ago by Antti Kaihola

On a second thought, I haven't checked what RFCs say about handling bogus timestamps, and maybe it would be wiser to respond with "has been modified" just in case there are legitimate broken clients out there. Thoughts?

comment:3 Changed 7 years ago by Antti Kaihola

Checked the RFC:

      a) If the request would normally result in anything other than a
         200 (OK) status, or if the passed If-Modified-Since date is
         invalid, the response is exactly the same as for a normal GET.
         A date which is later than the server's current time is
         invalid.

Fixed patch upcoming...

Changed 7 years ago by Antti Kaihola

Fixed to comply with RFC 2616 section 14.25

comment:4 Changed 7 years ago by Russell Keith-Magee

Triage Stage: UnreviewedAccepted

comment:5 Changed 6 years ago by Jannis Leidel

Patch needs improvement: set

The patch doesn't work for me, e.g. mktime_tz doesn't raise an OverflowError for me.

comment:6 Changed 6 years ago by Jannis Leidel

Resolution: fixed
Status: newclosed

(In [13870]) Fixed #12544 and #13600 -- Fixed static files serving view to catch invalid date from If-Modified-Since header. Thanks akaihola and SmileyChris for patches.

comment:7 Changed 6 years ago by Jannis Leidel

(In [13871]) Fixed #12544 and #13600 -- Fixed static files serving view to catch invalid date from If-Modified-Since header. Thanks akaihola and SmileyChris for patches.

Backport from trunk (r13870).

Note: See TracTickets for help on using tickets.
Back to Top