Andrew Biggs pointed out a "Expect: 100-continue" flaw where libcurl didn't

send the whole request at once, even though the Expect: header was disabled by the application. An effect of this change is also that small (< 1024 bytes) POSTs are now always sent without Expect: header since we deem it more costly to bother about that than the risk that we send the data in vain.
2025-03-11 07:39:50 -04:00 · 2006-08-18 22:54:57 +00:00 · 2006-08-18 22:54:57 +00:00 · 490cccba3c
commit 490cccba3c
parent 839441e236
8 changed files with 32 additions and 24 deletions
--- a/10
+++ b/10
@ -6,6 +6,14 @@
                                  Changelog
 Daniel (19 August 2006)
 - Andrew Biggs pointed out a "Expect: 100-continue" flaw where libcurl didn't
  send the whole request at once, even though the Expect: header was disabled
  by the application. An effect of this change is also that small (< 1024
  bytes) POSTs are now always sent without Expect: header since we deem it
  more costly to bother about that than the risk that we send the data in
  vain.
 Daniel (9 August 2006)
 - Armel Asselin made the CURLOPT_PREQUOTE option work fine even when
  CURLOPT_NOBODY is set true. PREQUOTE is then run roughly at the same place
@ -13,7 +21,7 @@ Daniel (9 August 2006)
  transfer.
 Daniel (8 August 2006)
- - Fixed a flaw in the "Expect: 100-continue" treatment. If you did two POSTs
+- Fixed a flaw in the "Expect: 100-continue" treatment. If you did two POSTs
  on a persistent connection and allowed the first to use that header, you
  could not disable it for the second request.
--- a/2
+++ b/2
@ -29,6 +29,6 @@ New curl mirrors:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
- Domenico Andreoli, Armel Asselin, Gisle Vanem, Yang Tse
+ Domenico Andreoli, Armel Asselin, Gisle Vanem, Yang Tse, Andrew Biggs
        Thanks! (and sorry if I forgot to mention someone)
--- a/lib/http.c
+++ b/lib/http.c
@ -2249,16 +2249,24 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
      if(data->set.postfields) {
-        if((data->state.authhost.done || data->state.authproxy.done )
+        /* for really small posts we don't use Expect: headers at all, and for
-           && (postsize < MAX_INITIAL_POST_SIZE)) {
+           the somewhat bigger ones we allow the app to disable it */
-          /* If we're not done with the authentication phase, we don't expect
+        if(postsize > TINY_INITIAL_POST_SIZE) {
-             to actually send off any data yet. Hence, we delay the sending of
+          result = expect100(data, req_buffer);
-             the body until we receive that friendly 100-continue response */
+          if(result)
            return result;
        }
        else
          data->state.expect100header = FALSE;
-          /* The post data is less than MAX_INITIAL_PORT_SIZE, then append it
+        if(!data->state.expect100header &&
-             to the header. This limit is no magic limit but only set to
+           (postsize < MAX_INITIAL_POST_SIZE))  {
-             prevent really huge POSTs to get the data duplicated with
+          /* if we don't use expect:-100  AND
-             malloc() and family. */
+             postsize is less than MAX_INITIAL_POST_SIZE
             then append the post data to the HTTP request header. This limit
             is no magic limit but only set to prevent really huge POSTs to
             get the data duplicated with malloc() and family. */
          result = add_buffer(req_buffer, "\r\n", 2); /* end of headers! */
          if(result)
@ -2297,18 +2305,10 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
          /* set the upload size to the progress meter */
          Curl_pgrsSetUploadSize(data, http->postsize);
          result = expect100(data, req_buffer);
          if(result)
            return result;
          add_buffer(req_buffer, "\r\n", 2); /* end of headers! */
        }
      }
      else {
        result = expect100(data, req_buffer);
        if(result)
          return result;
        add_buffer(req_buffer, "\r\n", 2); /* end of headers! */
        if(data->set.postfieldsize) {
--- a/lib/http.h
+++ b/lib/http.h
@ -74,7 +74,11 @@ int Curl_http_should_fail(struct connectdata *conn);
   It must not be greater than 64K to work on VMS.
 */
 #ifndef MAX_INITIAL_POST_SIZE
-#define MAX_INITIAL_POST_SIZE 1024
+#define MAX_INITIAL_POST_SIZE (64*1024)
 #endif
 #ifndef TINY_INITIAL_POST_SIZE
 #define TINY_INITIAL_POST_SIZE 1024
 #endif
 #endif
--- a/tests/data/test508
+++ b/tests/data/test508
@ -39,7 +39,6 @@ Host: 127.0.0.1:%HTTPPORT
 Accept: */*
 Content-Length: 45
 Content-Type: application/x-www-form-urlencoded
 Expect: 100-continue
 this is what we post to the silly web server
 </protocol>
--- a/tests/data/test510
+++ b/tests/data/test510
@ -39,7 +39,6 @@ Host: 127.0.0.1:%HTTPPORT
 Accept: */*
 Transfer-Encoding: chunked
 Content-Type: application/x-www-form-urlencoded
 Expect: 100-continue
 3
 one
--- a/tests/data/test513
+++ b/tests/data/test513
@ -30,7 +30,6 @@ Host: 127.0.0.1:%HTTPPORT
 Accept: */*
 Content-Length: 1
 Content-Type: application/x-www-form-urlencoded
 Expect: 100-continue
 </protocol>
 # 42 - aborted by callback
--- a/tests/data/test515
+++ b/tests/data/test515
@ -40,7 +40,6 @@ Host: 127.0.0.1:%HTTPPORT
 Accept: */*
 Content-Length: 0
 Content-Type: application/x-www-form-urlencoded
 Expect: 100-continue
 </protocol>
 </verify>