* According to RFC 2616 8.2.3 we are not allowed to forward an

  Expect: 100-continue to an HTTP/1.0 server. Instead we MUST return
  a HTTP_EXPECTATION_FAILED.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@661506 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 85b06acb8479d2f8e888c46ea176842f6beb29ee..5971b2322eb870fe63d4b6f3beea34aeb49f1022 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to
+     known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
+     [Ruediger Pluem]
+
   *) core, authn/z: Determine registered authn/z providers directly in
      ap_setup_auth_internal(), which allows optional functions that just
      wrapped ap_list_provider_names() to be removed from authn/z modules.

diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index 582a4a82362c92bd01e2587de8e0034b888cc191..86c082fbe6e6581d6e9c1697b1b4410665c61b34 100644 (file)
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -692,6 +692,14 @@ int ap_proxy_http_request(apr_pool_t *p, request_rec *r,
     if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
         buf = apr_pstrcat(p, r->method, " ", url, " HTTP/1.0" CRLF, NULL);
         force10 = 1;
+        /*
+         * According to RFC 2616 8.2.3 we are not allowed to forward an
+         * Expect: 100-continue to an HTTP/1.0 server. Instead we MUST return
+         * a HTTP_EXPECTATION_FAILED
+         */
+        if (r->expecting_100) {
+            return HTTP_EXPECTATION_FAILED;
+        }
         p_conn->close++;
     } else {
         buf = apr_pstrcat(p, r->method, " ", url, " HTTP/1.1" CRLF, NULL);