On 03/04/2006, at 4:53 PM, Mike Looijmans wrote:
My question is, should mod_python.publisher and mod_python.psp be
enhanced and call req.discard_request_body() for a GET request to
avoid
the posibilities of any problems arising due to a client sending
content
for a GET request?
-1 on that particular way of implementing it. If the GET request
has a body, that body probably serves some purpose.
The right thing to do for any handler that does not know how to
handle the request is to return a 'bad request' error to the
client. Just throwing away what is not understood is not very nice
to developers and users - you'll get unexpected behaviour because
the server is only handling a part of the request.
The trouble here is of course that publisher or PSP cannot tell
forehand that the handler will read the body data. So the only way
to determine this is to have the handler handle the request, and
after that, check if it did read all of the request. If not, you're
too late to report this to the client, because the headers have
already been sent out. Putting some message in an error log that no-
one will ever read (in particular not the one who caused that
problem) does not make sense either. To fix this, the handler
should somehow advertise its capability to read the body.
I guess you can't really solve the problem. Which is the lesser evil?
Digging further, Apache will always ensure that
ap_discard_request_body()
is executed at the end of the request being processed, so there is no
real
problem to be solved.
Although caution is good, I have read to much into the combination of
the
statements:
The first step we take upon entering the handler() function is to
call the
discard_request_body() method. Unlike HTTP/1.0, where only POST and
PUT requests may contain a request body, in HTTP/1.1 any method may
include a body. We have no use for it, so we throw it away to
avoid potential
problems.
and:
* In HTTP/1.1, any method can have a body. However, most GET handlers
* wouldn't know what to do with a request body if they received one.
* This helper routine tests for and reads any message body in the
request,
* simply discarding whatever it receives. We need to do this because
* failing to read the request body would cause it to be interpreted
* as the next request on a persistent connection.
The bit I was missing was that Apache calls the function already. :-)
So, nothing to see, move along ....
Graham