Re: NULL-Request (Sect. 4.1)

"Roy T. Fielding" <fielding@avron.ICS.UCI.EDU> wrote:
  > > [DMK]
  > > I believe NULL-Request was added to handle the lingering CRLF following
  > > a POSTed entity body.  It may have an unexpected and unintended
  > > interaction with persistent connections:  because the NULL-Request has
  > > no HTTP-Version and no Connection header, the server is obliged to
  > > close the connection after servicing the NULL-Request.
  > Well, Dave, I must say that you have a perverse way of reading specs
  > that discovers problems I would never even dream of.  ;-)

Um, thanks, I guess.  It comes from intense language lawyering for the
ANSI C spec.

  > I've noticed that some implementers manage to derive similar
  > interpretations, so I'm glad you find them first.

Well, I found it because indeed I was trying to figure out exactly how
to implement null requests and noticed the presumed unintended
  > Any thoughts as to what/where words need to be added to prevent this
  > unfortunate event?

Not really.  The NULL-Request idea seems attractive at first glance,
but it makes me nervous that a server should silently eat and discard
an arbitrary number of blank lines (assuming the persistent connection
issue gets side-stepped).  That opens the gate for a malicious client
to mount a denial of service attack by pumping a stream of CRLF's at a
server.  I'm more inclined to deal with it as a special-case hack:

- if there is a POST, and
- if the connection is held open,
- (and if the request is HTTP/1.0?),
the server should look for, and silently discard, a CRLF that follows
the entity body.

Received on Wednesday, 24 April 1996 07:10:00 UTC