- From: Cyrus Daboo <cyrus@daboo.name>
- Date: Fri, 30 Jan 2009 11:15:02 -0500
- To: Lisa Dusseault <lisad@messagingarchitects.com>, ietf-http-wg@w3.org
Hi Lisa,
--On January 26, 2009 5:54:22 PM +0000 Lisa Dusseault
<lisad@messagingarchitects.com> wrote:
> Julian helped me get another draft of this out that fixes his issues:
>
> http://tools.ietf.org/html/draft-dusseault-http-patch-12
>
> I've had so many groups ask for this over the years that I'm embarrassed
> it has taken this long. Please provide final comments shortly and I'll
> try to get it done.
- In the example in Section 2.1 there is a Content-MD5 header in the
response. What does that refer to? The actual response body is empty.
- Security: PATCH will likely require the server to use a lot more CPU than
a straight PUT. If someone were to define an "active" patch format (e.g.
one with a repeat or loop capability), then a malicious client could use
that as a denial-of-service vector. Can we add text like the following to
Security Considerations:
Servers MUST take adequate precautions to ensure that malicious
clients cannot consume excessive server resources (e.g., CPU, disk I/O)
through the client's use of PATCH.
Isn't there a response code for the server to indicate it is giving up
processing because the client request has consumed too much e.g., CPU?
- There should be some statement in the document along the lines of:
Clients need to make a smart choice on when it is applicable to use
PATCH rather than PUT. For example, if the patch document size is
larger than the size of the new resource data that would be used in a
PUT, then it probably makes sense to use PUT instead of PATCH.
--
Cyrus Daboo
Received on Friday, 30 January 2009 16:20:08 UTC