W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Re: NULL-Request (Sect. 4.1)

From: Dave Kristol <dmk@allegra.att.com>
Date: Wed, 24 Apr 96 09:59:07 EDT
Message-Id: <9604241359.AA26360@zp.tempo.att.com.tempo.att.com>
To: fielding@avron.ICS.UCI.EDU
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
"Roy T. Fielding" <fielding@avron.ICS.UCI.EDU> wrote:
  > > [DMK]
  > > I believe NULL-Request was added to handle the lingering CRLF following
  > > a POSTed entity body.  It may have an unexpected and unintended
  > > interaction with persistent connections:  because the NULL-Request has
  > > no HTTP-Version and no Connection header, the server is obliged to
  > > close the connection after servicing the NULL-Request.
  > 
  > Well, Dave, I must say that you have a perverse way of reading specs
  > that discovers problems I would never even dream of.  ;-)

Um, thanks, I guess.  It comes from intense language lawyering for the
ANSI C spec.

  > I've noticed that some implementers manage to derive similar
  > interpretations, so I'm glad you find them first.

Well, I found it because indeed I was trying to figure out exactly how
to implement null requests and noticed the presumed unintended
side-effect.
  > 
  > Any thoughts as to what/where words need to be added to prevent this
  > unfortunate event?

Not really.  The NULL-Request idea seems attractive at first glance,
but it makes me nervous that a server should silently eat and discard
an arbitrary number of blank lines (assuming the persistent connection
issue gets side-stepped).  That opens the gate for a malicious client
to mount a denial of service attack by pumping a stream of CRLF's at a
server.  I'm more inclined to deal with it as a special-case hack:

- if there is a POST, and
- if the connection is held open,
- (and if the request is HTTP/1.0?),
the server should look for, and silently discard, a CRLF that follows
the entity body.
Dave
Received on Wednesday, 24 April 1996 07:10:00 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:51 EDT