HttpServlet.doHead sets content-length #225
Comments
|
How does that happen? Wouldn't whatever causes the response to chunked also commit it? That would mean the later attempt to set a content length header would be ignored. |
|
With a GET request that writes it's response data with multiple writes, eventually the internal aggregation buffer fills up and the response is committed, typically using chunking or EOF to delimit the response. Thus the GET request has Note that it is kind of useful that a HEAD request can be used to determine the content-length (when a chunked response to a head would not). But being useful does not mean it is right.... Note also that it has been this way for a long time, so perhaps it is fine to leave as is.... just wanted to make sure we are doing so on purpose ! |
|
Thanks for the explanation. I was looking at the case of an explicit flush that forced chunking. Things work correctly in that case. |
|
Note also that I really don't like implementations in APIs. Container implementations have to deal with HEAD responses anyway because doHead may be overridden, so it adds no value. |
|
If a Servlet overrides |
|
I take the view that it is the containers job to be RFC compliant on the protocol where ever possible. So if a servlet starts sending content as the response to a HEAD request, then the container has to not allow that content to be put on the wire. To do so would be a bit of a security issue as it would allow a servlet to inject a response to the following request. So any container relying on doHead implementations is a bit on shaky ground I think. |
|
Sorry, should have been clearer as I think we are in broad agreement. |
|
As a related problem, the doHead implementation is based on int, so it fails if a very large content is accessed. The impl needs to be updated to support a long. It also probably needs to do something about async IO... at the very least ISE if it can't fake a callback. I'll prepare a PR. |
gregw
added
the
Candidate4NextRelease
Fix #225 by: + converting the contentLength field to a long + checking against bufferSize before setting a content length to simulate a buffer overflow + support flush and close + pass through async IO listener
+ check content-length against buffer size on every write
Fix #225 by: + converting the contentLength field to a long + checking against bufferSize before setting a content length to simulate a buffer overflow + support flush and close + pass through async IO listener
+ check content-length against buffer size on every write
Issue #225 doHead contentLength + converting the contentLength field to a long + checking against bufferSize before setting a content length to simulate a buffer overflow + support flush and close + pass through async IO listener * Issue #225 doHead contentLength + check content-length against buffer size on every write * Improved clarity of the writer flush mechanism * Added unit test * Alternate approach + fixed some definite bugs in Nobody response + made the use of Nobody response optional. * + use SC init parameter to enable legacy doHead handling * Deprecated legacy mode and added text in spec * format Signed-off-by: Greg Wilkins <gregw@webtide.com> * format Signed-off-by: Greg Wilkins <gregw@webtide.com> * merged and updated for deprecated and new methods.
Issue jakartaee#225 doHead fixes: + fixed reset handling in `NoBodyResponse` and `NoBodyOutputStream` + better implementation of async IO methods in `NoBodyOutputStream` + replaced `doHead` implementation with direct call of `doGet` and legacy nobody mode. + added unit tests. Signed-off-by: Greg Wilkins <gregw@webtide.com>
The implementation of HttpServlet.doHead sets content-length, even if the
doGetimplementation does not. This results in different headers being sent, specifically a GET request that would send a chunked response will respond to a HEAD request without being chunked. This is contrary to RFC7230 which allows for content headers to be omitted, but not altered.The text was updated successfully, but these errors were encountered: