Rivo Nurges([email protected]) on 2017.03.02 16:32:40 +0000: > >Synopsis:?????????? DELETE method with payload in relayd > >Category:?????????? n/a > >Environment: > ?????????????? System?????????? : OpenBSD 6.0 > ?????????????? Details???????? : OpenBSD 6.0-current (GENERIC) #2254: Fri > Sep?? 9 05:41:55 MDT 2016 > ???????????????????????????????????????????????? > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > ?? > ?????????????? Architecture: OpenBSD.amd64 > ?????????????? Machine???????? : amd64 > >Description: > RFC 2616(obsoleted by RFC 7231) doesn't talk about payload of DELETE method. > RFC 7231 says: > A payload within a DELETE request message has no defined semantics; > sending a payload body on a DELETE request might cause some existing > implementations to reject the request. > > Which indirectly allows DELETE method to have payload. > > At least Atlassian JIRA uses DELETE method with payload and will break if > relayd forwards the request without payload.
Hi, i thought i had fixed this in 2012, but apparently i never commited that diff even though i had oks for it. And i remember we had discussions about this in the past. The question here is: do we need relayd to block this to protect whatever application is behind it? Do we gain anything from blocking this request? Anecdotal evidence(*) suggests that no one should rely on DELETE having a body. Reyk? (*) http://stackoverflow.com/questions/299628/is-an-entity-body-allowed-for-an-http-delete-request https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Summary_table
