Hi!

Friendly reminder:) I'd like to get rid of the local patch.

Rivo

On 03/03/2017, 16:01, "Rivo Nurges" <[email protected]> wrote:

    Hi!
    
    At least Atlassian JIRA will break(thorws exception and returns 500) if 
relayd eats its json payload from DELETE.
    
    Rivo
    
    On 03/03/2017, 15:47, "Sebastian Benoit" <[email protected]> wrote:
    
        Rivo Nurges([email protected]) on 2017.03.02 16:32:40 +0000:
        > >Synopsis:?????????? DELETE method with payload in relayd
        > >Category:?????????? n/a
        > >Environment:
        > ?????????????? System?????????? : OpenBSD 6.0
        > ?????????????? Details???????? : OpenBSD 6.0-current (GENERIC) #2254: 
Fri Sep?? 9 05:41:55 MDT 2016
        > ???????????????????????????????????????????????? 
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
        > ??
        > ?????????????? Architecture: OpenBSD.amd64
        > ?????????????? Machine???????? : amd64
        > >Description:
        > RFC 2616(obsoleted by RFC 7231) doesn't talk about payload of DELETE 
method.
        > RFC 7231 says:
        >    A payload within a DELETE request message has no defined semantics;
        >    sending a payload body on a DELETE request might cause some 
existing
        >    implementations to reject the request.
        > 
        > Which indirectly allows DELETE method to have payload.
        > 
        > At least Atlassian JIRA uses DELETE method with payload and will 
break if relayd forwards the request without payload.
        
        Hi,
        
        i thought i had fixed this in 2012, but apparently i never commited that
        diff even though i had oks for it. And i remember we had discussions 
about
        this in the past.
        
        The question here is: do we need relayd to block this to protect 
whatever
        application is behind it? Do we gain anything from blocking this 
request?
        
        Anecdotal evidence(*) suggests that no one should rely on DELETE having 
a body.
        
        Reyk?
        
        
        (*)
        
http://stackoverflow.com/questions/299628/is-an-entity-body-allowed-for-an-http-delete-request
        https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Summary_table
        
    
    

Reply via email to