On Fri, Mar 10, 2017 at 08:41:06PM +0000, Rivo Nurges wrote:
> Hi!
> 
> Friendly reminder:) I'd like to get rid of the local patch.
> 
> Rivo
> 

Thanks, committed!  (to relayd and httpd)

Reyk

> On 03/03/2017, 16:01, "Rivo Nurges" <[email protected]> wrote:
> 
>     Hi!
>     
>     At least Atlassian JIRA will break(thorws exception and returns 500) if 
> relayd eats its json payload from DELETE.
>     
>     Rivo
>     
>     On 03/03/2017, 15:47, "Sebastian Benoit" <[email protected]> wrote:
>     
>         Rivo Nurges([email protected]) on 2017.03.02 16:32:40 +0000:
>         > >Synopsis:?????????? DELETE method with payload in relayd
>         > >Category:?????????? n/a
>         > >Environment:
>         > ?????????????? System?????????? : OpenBSD 6.0
>         > ?????????????? Details???????? : OpenBSD 6.0-current (GENERIC) 
> #2254: Fri Sep?? 9 05:41:55 MDT 2016
>         > ???????????????????????????????????????????????? 
> [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
>         > ??
>         > ?????????????? Architecture: OpenBSD.amd64
>         > ?????????????? Machine???????? : amd64
>         > >Description:
>         > RFC 2616(obsoleted by RFC 7231) doesn't talk about payload of 
> DELETE method.
>         > RFC 7231 says:
>         >    A payload within a DELETE request message has no defined 
> semantics;
>         >    sending a payload body on a DELETE request might cause some 
> existing
>         >    implementations to reject the request.
>         > 
>         > Which indirectly allows DELETE method to have payload.
>         > 
>         > At least Atlassian JIRA uses DELETE method with payload and will 
> break if relayd forwards the request without payload.
>         
>         Hi,
>         
>         i thought i had fixed this in 2012, but apparently i never commited 
> that
>         diff even though i had oks for it. And i remember we had discussions 
> about
>         this in the past.
>         
>         The question here is: do we need relayd to block this to protect 
> whatever
>         application is behind it? Do we gain anything from blocking this 
> request?
>         
>         Anecdotal evidence(*) suggests that no one should rely on DELETE 
> having a body.
>         
>         Reyk?
>         
>         
>         (*)
>         
> http://stackoverflow.com/questions/299628/is-an-entity-body-allowed-for-an-http-delete-request
>         
> https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Summary_table
>         
>     
>     
> 

-- 

Reply via email to