[piranha@xxxxxxxxxxxxxxx: Bug#402490: polipo: Incorrectly caches 302 responses, breaking LiveJournal]

----- Forwarded message from "J.P. Larocque" <piranha@xxxxxxxxxxxxxxx> -----

Date: Sun, 10 Dec 2006 11:58:04 -0800
From: "J.P. Larocque" <piranha@xxxxxxxxxxxxxxx>
Reply-To: "J.P. Larocque" <piranha@xxxxxxxxxxxxxxx>, 402490@xxxxxxxxxxxxxxx
To: submit@xxxxxxxxxxxxxxx
User-Agent: Mutt/1.5.9i
Subject: Bug#402490: polipo: Incorrectly caches 302 responses, breaking 
LiveJournal

Package: polipo
Version: 0.9.10-1

Polipo violates RFC 2616, Section 13.4, Response Cacheability:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.4

    A response received with any other status code (e.g. status codes
    302 and 307) MUST NOT be returned in a reply to a subsequent
    request unless there are cache-control directives or another
    header(s) that explicitly allow it. For example, these include the
    following: an Expires header (section [28]14.21); a "max-age",
    "s-maxage", "must- revalidate", "proxy-revalidate", "public" or
    "private" cache-control directive (section [29]14.9).

It's easy to prove that Polipo fails this requirement.  With the
environment variable "http_proxy" configured to use a Polipo web
proxy, try this command:  (The URI may be substituted with anything
that returns a 302 response.)

    curl --header 'Pragma:' -v http://ely.ath.cx/~piranha/redirect-302

The empty Pragma header field directs curl to not send "Pragma:
no-cache".  This is the output on my machine:

* About to connect() to wwwproxy.cnames port 8080
*   Trying 2002:c6ca:19fb:806:f085:2dff:fe5f:aaed... * connected
* Connected to wwwproxy.cnames (2002:c6ca:19fb:806:f085:2dff:fe5f:aaed) port 
8080
> GET http://ely.ath.cx/~piranha/redirect-302 HTTP/1.1
User-Agent: curl/7.13.2 (i386-pc-linux-gnu) libcurl/7.13.2 OpenSSL/0.9.7e 
zlib/1.2.2 libidn/0.5.13
Host: ely.ath.cx
Accept: */*

< HTTP/1.1 302 Found
< Content-Length: 376
< Date: Sat, 09 Dec 2006 10:53:03 GMT
< Via: 1.1 wet-blanket.ely.ath.cx
< Server: Apache/2.0.54 (Debian GNU/Linux) mod_python/3.1.3 Python/2.3.5 
PHP/4.3.10-18 mod_ssl/2.0.54 OpenSSL/0.9.7e
< Location: http://non-existent.example.com/
< Content-Type: text/html; charset=iso-8859-1
< Age: 14
< Connection: keep-alive
[body follows]

If you try this more than once with several seconds in-between your
requests, you'll see that the Date header field does not increase.
The Age header field also indicates that Polipo is caching the 302
response.

Note that, near as I can tell, the response from the server does not
include an Expires or Cache-Control header field, or anything else
that may "explicitly allow" the response to be cached.

This has the practical implication of not being able to use a great
deal of LiveJournal.com, as user-agents get caught in loops of 302
redirections, caused by improper caching from Polipo.  I've analyzed a
packet capture of such a loop, and determined that each of the 302
responses from the LiveJournal servers do not indicate that caching
those responses was acceptable.

This problem occurs even with relaxTransparency disabled and
cacheIsShared enabled.

The problem still exists in the darcs snapshot I grabbed.
dontCacheRedirects (not in 0.9.10) doesn't quite fix the problem
(doesn't reliably avoid caching 302s), but seems to work around the
symptom on LJ.  (dontCacheRedirects isn't desirable, as the
documentation states that it disables caching of all redirect
responses, particularly those that explicitly allow caching through
Cache-Control, Expires, or some other header field.)

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.29-xen
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages polipo depends on:
ii  libc6                        2.3.6.ds1-8 GNU C Library: Shared libraries

polipo recommends no packages.

-- no debconf information

-- 
J.P. Larocque: <piranha@xxxxxxxxxxxxxxx>, <piranha@xxxxxxxxxx>


----- End forwarded message -----

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV