On 22 Aug 2005, at 21:55, Michael Dunstan wrote:

On 8/22/05, Tres Seaver <[EMAIL PROTECTED]> wrote:

Are we sure that we won't be breaking the rather large possible set of
installed servers running behind Apache 1.3.x with the bug for which
adding the content length was a workaround?

I understand that this bug was resolved in Apache 1.3.27 [1]. Which is
a few years old now. And outdated by several security releases since

From my reading of http://www.apacheweek.com/issues/02-10-04 this issue only existed in 1.3.26:

In 1.3.26, a null or all-blank Content-Length triggers an error although previous versions would silently ignore it and assume 0 length. 1.3.27 restores this previous behaviour.

The other content-length-related issue actually seems to imply it is better to leave the header out of 304 responses, because Apache would "mis-use" the header and apply its value to cached content:

Some fixes to mod_proxy. The cache was incorrectly updating the Content-Length from 304 responses when doing validation. Also fix a problem where headers from other modules were added to the response headers when this was done in the core already.

Also OFS.Image been patched as of Zope 2.7.1 [2] in such a way that it
would have already tripped a combination of old-ish Apache and new-ish
Zope. Though ZServer was still throwing in a "Content-Length: 0".
(Which I read as sufficient to provoke the bug in Apache < 1.3.27.)

Yes, both issues mentioned above actually, from the way I read that text.

This setting could be manipulated via a zope.conf directive, but from the evidence it seems the maintenance/administrative annoyance of adding yet another knob for something that seems to carry no risk might not be worth it. I'd still plead for including it the way it is.


Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to