Opened 9 months ago

Closed 8 months ago

Last modified 8 months ago

#30015 closed Bug (fixed)

HTTP server doesn't clear previous request data in keep-alive connection.

Reported by: Konstantin Alekseev Owned by: nobody
Component: HTTP handling Version: 2.1
Severity: Release blocker Keywords: keep-alive, server
Cc: Florian Apolloner Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Django 2.1.4 affected.
Commit that enabled keep-alive connections https://github.com/django/django/commit/934acf1126995f6e6ccba5947ec8f7561633c27f
Bug: if you make two requests in one keep-alive connection and first request posted data that wasn't read in the view
then on second request that data will be read alongside with first line of the new request.
As a result request.method will contain "..data from previous request...POST"

Pull request with test and possible fix https://github.com/django/django/pull/10732

Change History (7)

comment:1 Changed 9 months ago by Simon Charette

Cc: Florian Apolloner added
Component: Core (Other)HTTP handling
Severity: NormalRelease blocker
Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

comment:2 Changed 9 months ago by Xavier Fernandez

Hello,

our Selenium tests were also affected by the same change (bisecting lead to https://github.com/django/django/commit/e1721ece485b35ab5543f134203a8a8ce9f31a7c which is https://github.com/django/django/commit/934acf1126995f6e6ccba5947ec8f7561633c27f).

Basically, the webdriver get(url) gets stuck for several hundred of seconds leading to test timeout, I'm trying to build a minimal selenium test showing this regression.
In the meanwhile, the provided patch makes our tests pass again but seems to crash a bunch of threads with:

  File "/home/xfernandez/other_dev/django/django/core/servers/basehttp.py", line 101, in close
    obj._stream._read_limited()
AttributeError: '_io.BytesIO' object has no attribute '_read_limited'

or

  File "/home/xfernandez/other_dev/django/django/core/servers/basehttp.py", line 99, in close
    for obj in self.result._closable_objects:
AttributeError: 'FileWrapper' object has no attribute '_closable_objects'

comment:3 Changed 9 months ago by Xavier Fernandez

Nevermind my previous comment, my issue was in fact different (and might actually be invalid), cf #30018

comment:4 Changed 8 months ago by Carlton Gibson

Triage Stage: AcceptedReady for checkin

comment:5 Changed 8 months ago by Carlton Gibson <carlton.gibson@…>

Resolution: fixed
Status: newclosed

In b514dc14:

Fixed #30015 -- Ensured request body is properly consumed for keep-alive connections.

comment:6 Changed 8 months ago by Tim Graham <timograham@…>

In bbe28fa0:

Refs #30015 -- Added 2.1.5 release note and removed 'we' in comments.

comment:7 Changed 8 months ago by Tim Graham <timograham@…>

In 08f78a4f:

[2.1.x] Fixed #30015 -- Ensured request body is properly consumed for keep-alive connections.

Backport of b514dc14f4e1c364341f5931b354e83ef15ee12d and
bbe28fa07658f00786dc1d91ee281b4daac22d07 from master.

Note: See TracTickets for help on using tickets.
Back to Top