On 27 Aug 2009, at 17:22, [email protected] wrote:
It appears that Apache is violating this paragraph from RFC 2616:
- Upon receiving a request which includes an Expect request-
header
field with the "100-continue" expectation, an origin server
MUST
either respond with 100 (Continue) status and continue to read
from the input stream, or respond with a final status code.
The
origin server MUST NOT wait for the request body before
sending
the 100 (Continue) response. If it responds with a final
status
code, it MAY close the transport connection or it MAY continue
to read and discard the rest of the request. It MUST NOT
perform the requested method if it returns a final status
code.
Looks like we have a problem with the sequence:
Client asks for 100-continue
We reply with a final status - e.g. 3xx
[delay somewhere on the wire]
Client sends a request body
We read body as a new request - oops!
It seems to me that keeping the connection open in this
instance means inevitable ambiguity over interpretation
of subsequent data, and the safe course of action is to
close it. Otherwise we can read subsequent data line-
by-line and discard anything that isn't a valid request
line, at the risk of encountering a false positive in a
request body.
+1 for closing the connection. Any divergent opinions?
--
Nick Kew
