rpms / ipa

Clone
Source Code
GIT

Files

  1.   a757688ec35e1e0152fd2998400c56ec5fc03279
  2.   SOURCES
  3.   0021-rpc_always_read_response_rhbz#1639890.patch
Blob Blame History Raw 
From 4c0e7d69e461a28a254e7c7a27c2768be3163a3d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 7 Nov 2018 17:06:47 +1100
Subject: [PATCH] rpc: always read response

If the server responds 401 and the response body is empty, the
client raises ResponseNotReady.  This occurs because:

1. For a non-200 response, the response read only if the
   Content-Length header occurs.

2. The response must be read before another request (e.g. the
   follow-up request with WWW-Authenticate header set), and this
   condition was not met.  For details see
   https://github.com/python/cpython/blob/v3.6.7/Lib/http/client.py#L1305-L1321.

This situation should not arise in regular use, because the client
either has a session cookie, or, knowing the details of the server
it is contacting, it establishes the GSS-API context and includes
the WWW-Authenticate header in the initial request.

Nevertheless, this problem has been observed in the wild.  I do not
know its ordinary cause(s), but one can force the issue by removing
an authenticated user's session cache from /run/ipa/ccaches, then
performing a request.

Resolve the issue by always reading the response.  It is safe to
call response.read() regardless of whether the Content-Length header
appears, or whether the body is empty.

Fixes: https://pagure.io/freeipa/issue/7752
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
 ipalib/rpc.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index b27f3cef9c..23841d0a4c 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -712,8 +712,15 @@ def single_request(self, host, handler, request_body, verbose=0):
                     response = h.getresponse()
 
                 if response.status != 200:
-                    if (response.getheader("content-length", 0)):
-                        response.read()
+                    # Must read response (even if it is empty)
+                    # before sending another request.
+                    #
+                    # https://docs.python.org/3/library/http.client.html
+                    #   #http.client.HTTPConnection.getresponse
+                    #
+                    # https://pagure.io/freeipa/issue/7752
+                    #
+                    response.read()
 
                     if response.status == 401:
                         if not self._auth_complete(response):

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation