diff options
| author | Fraser Tweedale <[email protected]> | 2018-11-07 17:06:47 +1100 |
|---|---|---|
| committer | Christian Heimes <[email protected]> | 2018-11-07 08:39:42 +0100 |
| commit | b8007e14ccf1d49f1c255df6344972fbe040810d (patch) | |
| tree | 356e3a8777bd1e0795e74f4b464b50d1dc2847b3 /ipalib | |
| parent | 4cd26fcba5b444020536935c979e44af4fdc654b (diff) | |
| download | freeipa-b8007e14ccf1d49f1c255df6344972fbe040810d.tar.gz freeipa-b8007e14ccf1d49f1c255df6344972fbe040810d.tar.xz freeipa-b8007e14ccf1d49f1c255df6344972fbe040810d.zip | |
rpc: always read response
If the server responds 401 and the response body is empty, the
client raises ResponseNotReady. This occurs because:
1. For a non-200 response, the response read only if the
Content-Length header occurs.
2. The response must be read before another request (e.g. the
follow-up request with WWW-Authenticate header set), and this
condition was not met. For details see
https://github.com/python/cpython/blob/v3.6.7/Lib/http/client.py#L1305-L1321.
This situation should not arise in regular use, because the client
either has a session cookie, or, knowing the details of the server
it is contacting, it establishes the GSS-API context and includes
the WWW-Authenticate header in the initial request.
Nevertheless, this problem has been observed in the wild. I do not
know its ordinary cause(s), but one can force the issue by removing
an authenticated user's session cache from /run/ipa/ccaches, then
performing a request.
Resolve the issue by always reading the response. It is safe to
call response.read() regardless of whether the Content-Length header
appears, or whether the body is empty.
Fixes: https://pagure.io/freeipa/issue/7752
Reviewed-By: Christian Heimes <[email protected]>
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/rpc.py | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 676cbdbcf..1ef0f5e95 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -710,8 +710,15 @@ class KerbTransport(SSLTransport): response = h.getresponse() if response.status != 200: - if (response.getheader("content-length", 0)): - response.read() + # Must read response (even if it is empty) + # before sending another request. + # + # https://docs.python.org/3/library/http.client.html + # #http.client.HTTPConnection.getresponse + # + # https://pagure.io/freeipa/issue/7752 + # + response.read() if response.status == 401: if not self._auth_complete(response): |