* According to RFC 2616 8.2.3 we are not allowed to forward an

Expect: 100-continue to an HTTP/1.0 server. Instead we MUST return
  a HTTP_EXPECTATION_FAILED.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@661506 13f79535-47bb-0310-9956-ffa450edef68

CHANGES

@@ -2,6 +2,10 @@
 Changes with Apache 2.3.0
 [ When backported to 2.2.x, remove entry from this file ]
 
+  *) mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to
+     known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
+     [Ruediger Pluem]
+
   *) core, authn/z: Determine registered authn/z providers directly in
      ap_setup_auth_internal(), which allows optional functions that just
      wrapped ap_list_provider_names() to be removed from authn/z modules.

modules/proxy/mod_proxy_http.c

@@ -692,6 +692,14 @@ int ap_proxy_http_request(apr_pool_t *p, request_rec *r,
     if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
         buf = apr_pstrcat(p, r->method, " ", url, " HTTP/1.0" CRLF, NULL);
         force10 = 1;
+        /*
+         * According to RFC 2616 8.2.3 we are not allowed to forward an
+         * Expect: 100-continue to an HTTP/1.0 server. Instead we MUST return
+         * a HTTP_EXPECTATION_FAILED
+         */
+        if (r->expecting_100) {
+            return HTTP_EXPECTATION_FAILED;
+        }
         p_conn->close++;
     } else {
         buf = apr_pstrcat(p, r->method, " ", url, " HTTP/1.1" CRLF, NULL);