Enforce Content-Length in catch_errors
If a WSGI application produces the header "Content-Length: <N>" but does not produce exactly N bytes of response, then that is an error and an exception should be thrown so that the WSGI server can take the correct action (close the TCP connection for HTTP <= 1.1, something else for HTTP 2.0). As part of this, I also fixed a bug in DLOs where a HEAD response might have a body. The way it works is this: * user makes HEAD request for DLO manifest * DLO middleware makes GET request for container * authorize callback (e.g. from tempurl) replies 401 for container GET; response has a nonempty body (it's a GET response; that's fine) * DLO notes that response is non-2xx, returns it as-is * client gets response with nonempty body to a HEAD request The fix there was simple; if the original request method was HEAD, clear out the response body. Change-Id: I74d8c13eba2a4917b5a116875b51a781b33a7abf Related-Bug: 1568650
This commit is contained in:
		| @@ -16,10 +16,44 @@ | ||||
| from swift import gettext_ as _ | ||||
|  | ||||
| from swift.common.swob import Request, HTTPServerError | ||||
| from swift.common.utils import get_logger, generate_trans_id | ||||
| from swift.common.utils import get_logger, generate_trans_id, close_if_possible | ||||
| from swift.common.wsgi import WSGIContext | ||||
|  | ||||
|  | ||||
| class BadResponseLength(Exception): | ||||
|     pass | ||||
|  | ||||
|  | ||||
| def enforce_byte_count(inner_iter, nbytes): | ||||
|     """ | ||||
|     Enforces that inner_iter yields exactly <nbytes> bytes before | ||||
|     exhaustion. | ||||
|  | ||||
|     If inner_iter fails to do so, BadResponseLength is raised. | ||||
|  | ||||
|     :param inner_iter: iterable of bytestrings | ||||
|     :param nbytes: number of bytes expected | ||||
|     """ | ||||
|     try: | ||||
|         bytes_left = nbytes | ||||
|         for chunk in inner_iter: | ||||
|             if bytes_left >= len(chunk): | ||||
|                 yield chunk | ||||
|                 bytes_left -= len(chunk) | ||||
|             else: | ||||
|                 yield chunk[:bytes_left] | ||||
|                 raise BadResponseLength( | ||||
|                     "Too many bytes; truncating after %d bytes " | ||||
|                     "with at least %d surplus bytes remaining" % ( | ||||
|                         nbytes, len(chunk) - bytes_left)) | ||||
|  | ||||
|         if bytes_left: | ||||
|             raise BadResponseLength('Expected another %d bytes' % ( | ||||
|                 bytes_left,)) | ||||
|     finally: | ||||
|         close_if_possible(inner_iter) | ||||
|  | ||||
|  | ||||
| class CatchErrorsContext(WSGIContext): | ||||
|  | ||||
|     def __init__(self, app, logger, trans_id_suffix=''): | ||||
| @@ -35,6 +69,7 @@ class CatchErrorsContext(WSGIContext): | ||||
|  | ||||
|         trans_id = generate_trans_id(trans_id_suffix) | ||||
|         env['swift.trans_id'] = trans_id | ||||
|         method = env['REQUEST_METHOD'] | ||||
|         self.logger.txn_id = trans_id | ||||
|         try: | ||||
|             # catch any errors in the pipeline | ||||
| @@ -48,6 +83,37 @@ class CatchErrorsContext(WSGIContext): | ||||
|             resp.headers['X-Openstack-Request-Id'] = trans_id | ||||
|             return resp(env, start_response) | ||||
|  | ||||
|         # If the app specified a Content-Length, enforce that it sends that | ||||
|         # many bytes. | ||||
|         # | ||||
|         # If an app gives too few bytes, then the client will wait for the | ||||
|         # remainder before sending another HTTP request on the same socket; | ||||
|         # since no more bytes are coming, this will result in either an | ||||
|         # infinite wait or a timeout. In this case, we want to raise an | ||||
|         # exception to signal to the WSGI server that it should close the | ||||
|         # TCP connection. | ||||
|         # | ||||
|         # If an app gives too many bytes, then we can deadlock with the | ||||
|         # client; if the client reads its N bytes and then sends a large-ish | ||||
|         # request (enough to fill TCP buffers), it'll block until we read | ||||
|         # some of the request. However, we won't read the request since | ||||
|         # we'll be trying to shove the rest of our oversized response out | ||||
|         # the socket. In that case, we truncate the response body at N bytes | ||||
|         # and raise an exception to stop any more bytes from being | ||||
|         # generated and also to kill the TCP connection. | ||||
|         if self._response_headers: | ||||
|             content_lengths = [val for header, val in self._response_headers | ||||
|                                if header.lower() == "content-length"] | ||||
|             if len(content_lengths) == 1: | ||||
|                 try: | ||||
|                     content_length = int(content_lengths[0]) | ||||
|                 except ValueError: | ||||
|                     pass | ||||
|                 else: | ||||
|                     resp = enforce_byte_count( | ||||
|                         resp, | ||||
|                         0 if method == 'HEAD' else content_length) | ||||
|  | ||||
|         # make sure the response has the trans_id | ||||
|         if self._response_headers is None: | ||||
|             self._response_headers = [] | ||||
|   | ||||
| @@ -154,6 +154,9 @@ class GetContext(WSGIContext): | ||||
|  | ||||
|         con_resp = con_req.get_response(self.dlo.app) | ||||
|         if not is_success(con_resp.status_int): | ||||
|             if req.method == 'HEAD': | ||||
|                 close_if_possible(con_resp.app_iter) | ||||
|                 con_resp.body = '' | ||||
|             return con_resp, None | ||||
|         with closing_if_possible(con_resp.app_iter): | ||||
|             return None, json.loads(''.join(con_resp.app_iter)) | ||||
|   | ||||
| @@ -137,6 +137,63 @@ class TestCatchErrors(unittest.TestCase): | ||||
|         resp = app(req.environ, self.start_response) | ||||
|         self.assertEqual(list(resp), ['An error occurred']) | ||||
|  | ||||
|     def test_HEAD_with_content_length(self): | ||||
|         def cannot_count_app(env, sr): | ||||
|             sr("200 OK", [("Content-Length", "10")]) | ||||
|             return [b""] | ||||
|  | ||||
|         app = catch_errors.CatchErrorMiddleware(cannot_count_app, {}) | ||||
|         list(app({'REQUEST_METHOD': 'HEAD'}, self.start_response)) | ||||
|  | ||||
|     def test_short_response_body(self): | ||||
|  | ||||
|         def cannot_count_app(env, sr): | ||||
|             sr("200 OK", [("Content-Length", "2000")]) | ||||
|             return [b"our staff tailor is Euripedes Imenedes"] | ||||
|  | ||||
|         app = catch_errors.CatchErrorMiddleware(cannot_count_app, {}) | ||||
|  | ||||
|         with self.assertRaises(catch_errors.BadResponseLength): | ||||
|             list(app({'REQUEST_METHOD': 'GET'}, self.start_response)) | ||||
|  | ||||
|     def test_long_response_body(self): | ||||
|         def cannot_count_app(env, sr): | ||||
|             sr("200 OK", [("Content-Length", "10")]) | ||||
|             return [b"our optometric firm is C.F. Eye Care"] | ||||
|  | ||||
|         app = catch_errors.CatchErrorMiddleware(cannot_count_app, {}) | ||||
|  | ||||
|         with self.assertRaises(catch_errors.BadResponseLength): | ||||
|             list(app({'REQUEST_METHOD': 'GET'}, self.start_response)) | ||||
|  | ||||
|     def test_bogus_content_length(self): | ||||
|  | ||||
|         def bogus_cl_app(env, sr): | ||||
|             sr("200 OK", [("Content-Length", "25 cm")]) | ||||
|             return [b"our British cutlery specialist is Sir Irving Spoon"] | ||||
|  | ||||
|         app = catch_errors.CatchErrorMiddleware(bogus_cl_app, {}) | ||||
|         list(app({'REQUEST_METHOD': 'GET'}, self.start_response)) | ||||
|  | ||||
|     def test_no_content_length(self): | ||||
|  | ||||
|         def no_cl_app(env, sr): | ||||
|             sr("200 OK", [("Content-Type", "application/names")]) | ||||
|             return [b"our staff statistician is Marge Inovera"] | ||||
|  | ||||
|         app = catch_errors.CatchErrorMiddleware(no_cl_app, {}) | ||||
|         list(app({'REQUEST_METHOD': 'GET'}, self.start_response)) | ||||
|  | ||||
|     def test_multiple_content_lengths(self): | ||||
|  | ||||
|         def poly_cl_app(env, sr): | ||||
|             sr("200 OK", [("Content-Length", "30"), | ||||
|                           ("Content-Length", "40")]) | ||||
|             return [b"The head of our personal trainers is Jim Shortz"] | ||||
|  | ||||
|         app = catch_errors.CatchErrorMiddleware(poly_cl_app, {}) | ||||
|         list(app({'REQUEST_METHOD': 'GET'}, self.start_response)) | ||||
|  | ||||
|  | ||||
| if __name__ == '__main__': | ||||
|     unittest.main() | ||||
|   | ||||
| @@ -612,6 +612,21 @@ class TestDloGetManifest(DloTestCase): | ||||
|         self.assertEqual(status, "200 OK") | ||||
|         self.assertEqual(body, "aaaaabbbbbccccc") | ||||
|  | ||||
|     def test_error_listing_container_HEAD(self): | ||||
|         self.app.register( | ||||
|             'GET', '/v1/AUTH_test/c?prefix=seg_', | ||||
|             # for example, if a manifest refers to segments in another | ||||
|             # container, but the user is accessing the manifest via a | ||||
|             # container-level tempurl key | ||||
|             swob.HTTPUnauthorized, {}, None) | ||||
|  | ||||
|         req = swob.Request.blank('/v1/AUTH_test/mancon/manifest-many-segments', | ||||
|                                  environ={'REQUEST_METHOD': 'HEAD'}) | ||||
|         with mock.patch(LIMIT, 3): | ||||
|             status, headers, body = self.call_dlo(req) | ||||
|         self.assertEqual(status, "401 Unauthorized") | ||||
|         self.assertEqual(body, b"") | ||||
|  | ||||
|     def test_mismatched_etag_fetching_second_segment(self): | ||||
|         self.app.register( | ||||
|             'GET', '/v1/AUTH_test/c/seg_02', | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Samuel Merritt
					Samuel Merritt