W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1999

Re: Resend: Re: IPP> Chunked POST: SUMMARY

From: Roy T. Fielding <fielding@kiwi.ics.uci.edu>
Date: Sun, 24 Jan 1999 00:48:32 -0800
To: John Franks <john@math.nwu.edu>
Cc: kugler@us.ibm.com, http-wg@hplb.hpl.hp.com, ipp@pwg.org
Message-Id: <9901240048.aa07811@paris.ics.uci.edu>
>This discussion is getting off track.  There is a problem here and it
>may well impinge on IPP.  But the problem is not with the HTTP spec.
>
>The problem is that there is no way to use CGI with chunked message-bodies.
>This is can be viewed as a limitation of CGI (CGI's problem) or a 
>limitation of the most popular implementations of HTTP (HTTP implementor's
>problem).  But it is not a problem with the HTT Protocol.  HTTP does
>not prevent using chunking with CGI and it is not hard to find servers
>which support this, even though the most popular ones do not.

Agreed.

>Also this really has nothing to do with denial of service which can be
>done in lots of ways more easily than using chunking.

One of many is still one.  It is the reason that this is hard to
implement correctly on a general-purpose server.  If it wasn't for that
reason I would have implemented it last year for 1.2.

>I am not sure what recourse people have at this point.  You could try
>to persuade Apache developers to implement this feature.  I am not
>sure if it would be possible to write an Apache module to do this.

A configurably limited input buffer that redirects the request body
before calling the script could either be implemented in the core
(where dechunking is already being done) or within a mod_cgi replacement
(duplicates effort, but certainly do-able).  OTOH, it is easier to just
implement IPP as a module.

>You could also try to support a new version of the CGI spec which would
>permit CGI to take chunked input.  Neither of these would deal with the
>existing base of installed servers, though.

Just replace mod_cgi with something that passes chunked to the script --
it is only a one word change, but requires scripts that can parse chunked.

>But the one thing which does seem clear is that no change or
>clarification in the HTTP spec can can help.
>
>In that regard, I would suggest that a server which rejects chunked
>message-body but returns a 200 status is not in compliance with the
>spec as it stands now.

Yep, since the status shouldn't be OK if the action wasn't successfully
performed, and you can't perform a POST successfully without understanding
the request body.

....Roy
Received on Sunday, 24 January 1999 08:51:01 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:29 EDT