httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Strauss <gs-apache-...@gluelogic.com>
Subject Re: POST without Content-Length
Date Sun, 08 Aug 2004 01:10:25 GMT
On Sat, Aug 07, 2004 at 05:24:19PM -0700, Roy T. Fielding wrote:
> >Since the Apache server can not know if CGI requires C-L, I conclude
> >that CGI scripts are broken if they require C-L and do not return
> >411 Length Required when the CGI/1.1 CONTENT_LENGTH environment
> >variable is not present.  It's too bad that CGI.pm and cgi-lib.pl
> >are both broken in this respect.  Fixing them would be simple and
> >that would take care of the vast majority of legacy apps.

Here's my argument, notwithstanding current practice and the
extremely poor quality of many, many CGI programs out there:

[snip]
> CGI is supposed to be a simple interface for web programming.

You and your cohorts did a great job with it.  It's been quite
extensible and robust (which is not to say it is perfect :)).

[snip]
> CGI was defined in 1993.  HTTP/1.0 in 1993-95.  HTTP/1.1 in 1995-97.

OK, so any robust CGI written after 1995 that is intended to be
gatewayed from an HTTP web server should grok all standard HTTP/1.0
request methods and should know which ones it supports, and which
ones _require_ a message body (e.g. POST, PUT).

And, naturally, the CGI should know it is speaking to an HTTP/1.x 
server on the other end of the gateway because of the CGI/1.1
SERVER_PROTOCOL environment variable.


Now, I always read the CGI/1.1 spec as _requiring_ a CONTENT_LENGTH
if there was any message body.  (<-- Note the qualification).


http://hoohoo.ncsa.uiuc.edu/cgi/env.html

The following environment variables are specific to the request being fulfilled by the gateway
program:

[...]

#  CONTENT_TYPE

For queries which have attached information, such as HTTP POST and PUT, this is the content
type of the data.

# CONTENT_LENGTH

The length of the said content as given by the client. 


It is implied that CONTENT_LENGTH should be set to 0 by the HTTP side
of the gateway when a request method that requires a message body has
an empty body.  Therefore, on the other side of the gateway, any robust
little CGI should check for CONTENT_LENGTH, because it wants to be able
to detect premature end of content.  (It doesn't even have to know that
the HTTP server required a message body for that method)

If a script expects content on stdin and does not find CONTENT_LENGTH,
then even very old CGI scripts should abort with 400 Bad Request.
Better, the script should return 411 Length Required if it
requires CONTENT_LENGTH and one is not present.

Of course, if the script does not require that content be present,
and CONTENT_LENGTH is not present, scripts that do not support
HTTP/1.1 semantics (i.e. Transfer-Encoding) will assume no content
and will silently ignore the content that was submitted.  However,
since the content is not required, one must assume that no corruption
will occur because of its absense; only some missing information results

(RFC 2616 says that C-L should be ignored if T-E is present, and so
an HTTP/1.1 server might pass CONTENT_LENGTH=0 to such scripts along
with HTTP_TRANSFER_ENCODING=chunked, and still be proper.  Scripts
that require content, should then definitely return 400 Bad Request)

In any case, CGI scripts are welcome to support HTTP/1.1 and T-E
if they see appropriate SERVER_PROTOCOL and HTTP_TRANSFER_ENCODING
environment variables.

Cheers,
Glenn

Mime
View raw message