Issue 8704: cgitb sends a bogus HTTP header if the app crashes before finishing headers - Python tracker

classification

Title:	cgitb sends a bogus HTTP header if the app crashes before finishing headers
Type:	behavior	Stage:
Components:	Library (Lib)	Versions:	Python 3.2, Python 2.7

process

Status:	open	Resolution:
Dependencies:		Superseder:
Assigned To:		Nosy List:	meatballhat, orsenthil, stutzbach, ysj.ray
Priority:	normal	Keywords:	easy

Created on 2010-05-13 14:12 by stutzbach, last changed 2011-03-18 02:11 by orsenthil.

Messages (3)
msg105633 - (view)	Author: Daniel Stutzbach (stutzbach)	Date: 2010-05-13 14:12
If the CGI script crashes before finishing the headers, cgitb will emit invalid HTTP headers before showing the error message. Below are HTTP headers I received, captured with a packet sniffer. Note the "<--: spam". HTTP/1.1 200 OK Date: Thu, 13 May 2010 14:00:42 GMT Server: Apache/2.2.9 <!--: spam Vary: Accept-Encoding Cache-Control: max-age=0 Expires: Thu, 13 May 2010 14:00:42 GMT Set-Cookie: ref=; path=/; HttpOnly Transfer-Encoding: chunked Content-Type: text/html That string it emitted by cgitb.reset(), which is trying to reset the browser to a sane state so the error message will be shown. The problem can be easily fixed by having cgitb.reset() emit two CRLF pairs first, to ensure that we're done with the headers and emitting content: - return '''<!--: spam + return '''\r\n\r\n<!--: spam
msg105690 - (view)	Author: ysj.ray (ysj.ray)	Date: 2010-05-14 07:57
Yes, I saw the "<!--: spam" string in headers, but it seems that this string doesn't make problems. The displaying page is correct. But after I apply the changes you mentioned: - return '''<!--: spam + return '''\r\n\r\n<!--: spam I got text/plain output, and the response headers are like this: Date Fri, 14 May 2010 07:30:03 GMT Server Apache/2.2.15 (Unix) Keep-Alive timeout=5, max=100 Connection Keep-Alive Transfer-Encoding chunked Content-Type text/plain And the content is like this: <!--: spam Content-Type: text/html <body bgcolor="#f0f0f8"><font color="#f0f0f8" size="-5"> --> <body bgcolor="#f0f0f8"><font color="#f0f0f8" size="-5"> --> --> ...... So the hole page is not displayed correctly! Is there any problem with me?
msg105705 - (view)	Author: Daniel Stutzbach (stutzbach)	Date: 2010-05-14 13:06
It displays correctly in some browsers, yes, but not everything that speaks HTTP is a browser. For example, the invalid header makes C#'s WebRequest throw an exception. I hadn't noticed the 'Content-Type' on the next line of the string output by reset(). That does make things more complicated. We could put the "Content-Type: text/html" first, but the downside is that it will be output as visible content if a script crashes after the headers have been emitted. I'm not sure if that's better or worse than emitting an invalid header.

History
Date	User	Action	Args
2011-03-18 02:11:43	orsenthil	set	nosy: + orsenthil
2010-05-14 13:06:35	stutzbach	set	messages: + msg105705
2010-05-14 07:57:48	ysj.ray	set	nosy: + ysj.ray messages: + msg105690
2010-05-14 01:44:28	meatballhat	set	nosy: + meatballhat
2010-05-13 14:12:58	stutzbach	set	keywords: + easy
2010-05-13 14:12:50	stutzbach	create