- From: Dave Kristol <dmk@allegra.att.com>
- Date: Wed, 24 Apr 96 09:59:07 EDT
- To: fielding@avron.ICS.UCI.EDU
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
"Roy T. Fielding" <fielding@avron.ICS.UCI.EDU> wrote: > > [DMK] > > I believe NULL-Request was added to handle the lingering CRLF following > > a POSTed entity body. It may have an unexpected and unintended > > interaction with persistent connections: because the NULL-Request has > > no HTTP-Version and no Connection header, the server is obliged to > > close the connection after servicing the NULL-Request. > > Well, Dave, I must say that you have a perverse way of reading specs > that discovers problems I would never even dream of. ;-) Um, thanks, I guess. It comes from intense language lawyering for the ANSI C spec. > I've noticed that some implementers manage to derive similar > interpretations, so I'm glad you find them first. Well, I found it because indeed I was trying to figure out exactly how to implement null requests and noticed the presumed unintended side-effect. > > Any thoughts as to what/where words need to be added to prevent this > unfortunate event? Not really. The NULL-Request idea seems attractive at first glance, but it makes me nervous that a server should silently eat and discard an arbitrary number of blank lines (assuming the persistent connection issue gets side-stepped). That opens the gate for a malicious client to mount a denial of service attack by pumping a stream of CRLF's at a server. I'm more inclined to deal with it as a special-case hack: - if there is a POST, and - if the connection is held open, - (and if the request is HTTP/1.0?), the server should look for, and silently discard, a CRLF that follows the entity body. Dave
Received on Wednesday, 24 April 1996 07:10:00 UTC