Graham Dumpleton wrote:
I have just added to mod_python in subversion a req.discard_request_body()
method. This is a direct wrapper for underlying ap_discard_request_body()
function in C API.
The purpose of the underlying function is as described in documentation
attached to prorotype in headers.
/**
* In HTTP/1.1, any method can have a body. However, most GET handlers
* wouldn't know what to do with a request body if they received one.
* This helper routine tests for and reads any message body in the request,
* simply discarding whatever it receives. We need to do this because
* failing to read the request body would cause it to be interpreted
* as the next request on a persistent connection.
* @param r The current request
* @return error status if request is malformed, OK otherwise
*/
AP_DECLARE(int) ap_discard_request_body(request_rec *r);
In other words, the function should be used in GET handlers to get rid of
any content in the request. I appreciate that web clients are generally well
behaved, but if such content is sent and isn't discarded and keep alives
are in use on a connection and requests are pipelined, that content can be
wrongly interpreted as being the next request and a failure would thus
occur.
A robust handler would therefore always call req.discard_request_body()
if the request is a GET request.
My question is, should mod_python.publisher and mod_python.psp be
enhanced and call req.discard_request_body() for a GET request to avoid
the posibilities of any problems arising due to a client sending content
for a GET request?
With the rise of AJAX applications where Javascript is explicitly used to
send custom requests, even if it is done inadvertantly and POST should
have been used, the risk of having GET requests with content is also
probably on the rise.
Note that although mod_python.publisher will always apply util.FieldStorage
to a request, it only consumes content for a POST request. Same deal with
mod_python.psp, although it only processes forms when "form" variable
accessed from PSP page.
Thoughts???
+1
If something shouldn't happen but it can happen and screw things up when
it does, someone will do it either through carelessness or for evil
purposes. Let's do the safe thing and discard the request body in psp
and publisher.
Jim
