On Jul 23, 2008, at 3:50 PM, Sergey Schetinin wrote: > I didn't read all the code in the linked page, so I could be wrong, > but it seems that DirectCascade ignores the fact that a failed app > could consume some or all of data from environ['wsgi.input'] and will > thus break the apps later in the cascade. The right thing to do, I > think, would be to insert middleware one level higher that would do > the necessary checks on the input stream and cache it on disk if > required. Anyway, are there any real cases when a POST / PUT request > doesn't have CONTENT_LENGTH in environ?
well DirectCascade is written with the assumption that the things you're cascading don't care about wsgi.input. If they do, then you can't use this technique (another argument for LimitRequestBody....and subsequently Apache, unless lighttpd or nginx, the seeming two competitors, supply this functionality as well). Whether or not CONTENT_LENGTH is set (and it wouldn't be present in the case of a malicious attack, though not sure if some other part of the HTTP stack catches that), the current approaches read the whole stream into a tempfile. _______________________________________________ Paste-users mailing list [email protected] http://webwareforpython.org/cgi-bin/mailman/listinfo/paste-users
