- From: Roy T. Fielding <fielding@kiwi.ics.uci.edu>
- Date: Sun, 24 Jan 1999 00:48:32 -0800
- To: John Franks <john@math.nwu.edu>
- Cc: kugler@us.ibm.com, http-wg@hplb.hpl.hp.com, ipp@pwg.org
>This discussion is getting off track. There is a problem here and it >may well impinge on IPP. But the problem is not with the HTTP spec. > >The problem is that there is no way to use CGI with chunked message-bodies. >This is can be viewed as a limitation of CGI (CGI's problem) or a >limitation of the most popular implementations of HTTP (HTTP implementor's >problem). But it is not a problem with the HTT Protocol. HTTP does >not prevent using chunking with CGI and it is not hard to find servers >which support this, even though the most popular ones do not. Agreed. >Also this really has nothing to do with denial of service which can be >done in lots of ways more easily than using chunking. One of many is still one. It is the reason that this is hard to implement correctly on a general-purpose server. If it wasn't for that reason I would have implemented it last year for 1.2. >I am not sure what recourse people have at this point. You could try >to persuade Apache developers to implement this feature. I am not >sure if it would be possible to write an Apache module to do this. A configurably limited input buffer that redirects the request body before calling the script could either be implemented in the core (where dechunking is already being done) or within a mod_cgi replacement (duplicates effort, but certainly do-able). OTOH, it is easier to just implement IPP as a module. >You could also try to support a new version of the CGI spec which would >permit CGI to take chunked input. Neither of these would deal with the >existing base of installed servers, though. Just replace mod_cgi with something that passes chunked to the script -- it is only a one word change, but requires scripts that can parse chunked. >But the one thing which does seem clear is that no change or >clarification in the HTTP spec can can help. > >In that regard, I would suggest that a server which rejects chunked >message-body but returns a 200 status is not in compliance with the >spec as it stands now. Yep, since the status shouldn't be OK if the action wasn't successfully performed, and you can't perform a POST successfully without understanding the request body. ....Roy
Received on Sunday, 24 January 1999 00:54:49 UTC