Re: Resend: Re: IPP> Chunked POST: SUMMARY

>This discussion is getting off track.  There is a problem here and it
>may well impinge on IPP.  But the problem is not with the HTTP spec.
>
>The problem is that there is no way to use CGI with chunked message-bodies.
>This is can be viewed as a limitation of CGI (CGI's problem) or a 
>limitation of the most popular implementations of HTTP (HTTP implementor's
>problem).  But it is not a problem with the HTT Protocol.  HTTP does
>not prevent using chunking with CGI and it is not hard to find servers
>which support this, even though the most popular ones do not.

Agreed.

>Also this really has nothing to do with denial of service which can be
>done in lots of ways more easily than using chunking.

One of many is still one.  It is the reason that this is hard to
implement correctly on a general-purpose server.  If it wasn't for that
reason I would have implemented it last year for 1.2.

>I am not sure what recourse people have at this point.  You could try
>to persuade Apache developers to implement this feature.  I am not
>sure if it would be possible to write an Apache module to do this.

A configurably limited input buffer that redirects the request body
before calling the script could either be implemented in the core
(where dechunking is already being done) or within a mod_cgi replacement
(duplicates effort, but certainly do-able).  OTOH, it is easier to just
implement IPP as a module.

>You could also try to support a new version of the CGI spec which would
>permit CGI to take chunked input.  Neither of these would deal with the
>existing base of installed servers, though.

Just replace mod_cgi with something that passes chunked to the script --
it is only a one word change, but requires scripts that can parse chunked.

>But the one thing which does seem clear is that no change or
>clarification in the HTTP spec can can help.
>
>In that regard, I would suggest that a server which rejects chunked
>message-body but returns a 200 status is not in compliance with the
>spec as it stands now.

Yep, since the status shouldn't be OK if the action wasn't successfully
performed, and you can't perform a POST successfully without understanding
the request body.

....Roy

Received on Sunday, 24 January 1999 00:54:49 UTC