W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: PATCH draft

From: Cyrus Daboo <cyrus@daboo.name>
Date: Fri, 30 Jan 2009 11:15:02 -0500
To: Lisa Dusseault <lisad@messagingarchitects.com>, ietf-http-wg@w3.org
Message-ID: <ED3EB46797792AAE08F3F34A@caldav.corp.apple.com>

Hi Lisa,

--On January 26, 2009 5:54:22 PM +0000 Lisa Dusseault 
<lisad@messagingarchitects.com> wrote:

> Julian helped me get another draft of this out that fixes his issues:
>
> http://tools.ietf.org/html/draft-dusseault-http-patch-12
>
> I've had so many groups ask for this over the years that I'm embarrassed
> it has taken this long.  Please provide final comments shortly and I'll
> try to get it done.

- In the example in Section 2.1 there is a Content-MD5 header in the 
response. What does that refer to? The actual response body is empty.

- Security: PATCH will likely require the server to use a lot more CPU than 
a straight PUT. If someone were to define an "active" patch format (e.g. 
one with a repeat or loop capability), then a malicious client could use 
that as a denial-of-service vector. Can we add text like the following to 
Security Considerations:

    Servers MUST take adequate precautions to ensure that malicious
    clients cannot consume excessive server resources (e.g., CPU, disk I/O)
    through the client's use of PATCH.

Isn't there a response code for the server to indicate it is giving up 
processing because the client request has consumed too much e.g., CPU?

- There should be some statement in the document along the lines of:

    Clients need to make a smart choice on when it is applicable to use
    PATCH rather than PUT. For example, if the patch document size is
    larger than the size of the new resource data that would be used in a
    PUT, then it probably makes sense to use PUT instead of PATCH.

-- 
Cyrus Daboo
Received on Friday, 30 January 2009 16:20:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT