httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@liege.ICS.UCI.EDU>
Subject Re: bread() patch
Date Fri, 22 Nov 1996 00:26:13 GMT
> On Wed, 20 Nov 1996, Roy T. Fielding wrote:
>> While testing this, I also discovered that CONTENT_LENGTH is not being
>> passed to the CGI script if the incoming data is chunked.  How is the
> Yes... that's because the client doesn't send one; we don't know what
> the size is. So how can we create a content length?

Via an internal buffer or not at all -- that is why we have the 411 code.

>> script supposed to know how much data to read if we remove the chunk sizes
>> but do not create CONTENT_LENGTH?  They can't look for EOF.  We may have
> Um... why not? That was the solution I had in mind when I wrote the
> code (or rather, when I ripped it off from rst's apache-XX), and it
> works for me... Yes, it's not directly compatible with CGI/1.1, but
> it's a small change. In fact, it's easier on the CGI...

Because CGI/1.1 requires CONTENT_LENGTH on any request containing content.
The script can't look for EOF because not all servers close stdin after
sending the data, and because it isn't a reliable indicator (i.e., the
script needs to know it has received the entire input before it takes
any non-idempotent actions).  This isn't an Apache choice -- it is part
of CGI.

>> to rethink this notion of protecting stupid CGI scripts by doing the
>> chunking transparently.  Either that or use a temporary file.
> I defenitely think we need to protect CGI scripts (and they're not
> "stupid") - the whole point is to make it so that Apache can do
> anything it wants, even whole other protocols, and the CGI script
> doesn't know about it. Do we really want everyone to have to go
> through this again when we support HTTP/2.0, for example? I thought
> that's why nph-scripts were a bad idea.

We can wrap old CGI scripts by completely protecting them from chunked;
the current code doesn't do that.  At the same time, it would be foolish
for us to prevent new CGI scripts from making use of HTTP/1.1 features
correctly, where correctly includes such things as dealing with chunked
input and not sending a 100 response until *the script* has decided that
it is okay to send the rest of the data.

So, if we want to protect old scripts, then we must create separate
mod_cgi and mod_cgi2 modules, define CGI/2.0, and create two API
mechanisms for getting the data.


View raw message