On 03/04/2006, at 4:53 PM, Mike Looijmans wrote:

My question is, should mod_python.publisher and mod_python.psp be
enhanced and call req.discard_request_body() for a GET request to avoid the posibilities of any problems arising due to a client sending content
for a GET request?

-1 on that particular way of implementing it. If the GET request has a body, that body probably serves some purpose.

The right thing to do for any handler that does not know how to handle the request is to return a 'bad request' error to the client. Just throwing away what is not understood is not very nice to developers and users - you'll get unexpected behaviour because the server is only handling a part of the request.

The trouble here is of course that publisher or PSP cannot tell forehand that the handler will read the body data. So the only way to determine this is to have the handler handle the request, and after that, check if it did read all of the request. If not, you're too late to report this to the client, because the headers have already been sent out. Putting some message in an error log that no- one will ever read (in particular not the one who caused that problem) does not make sense either. To fix this, the handler should somehow advertise its capability to read the body.

I guess you can't really solve the problem. Which is the lesser evil?

Digging further, Apache will always ensure that ap_discard_request_body() is executed at the end of the request being processed, so there is no real
problem to be solved.

Although caution is good, I have read to much into the combination of the

The first step we take upon entering the handler() function is to call the
  discard_request_body() method. Unlike HTTP/1.0, where only POST and
  PUT requests may contain a request body, in HTTP/1.1 any method may
include a body. We have no use for it, so we throw it away to avoid potential


  * In HTTP/1.1, any method can have a body. However, most GET handlers
  * wouldn't know what to do with a request body if they received one.
* This helper routine tests for and reads any message body in the request,
  * simply discarding whatever it receives. We need to do this because
  * failing to read the request body would cause it to be interpreted
  * as the next request on a persistent connection.

The bit I was missing was that Apache calls the function already. :-)

So, nothing to see, move along ....


Reply via email to