Details

      Description

      HTTP server decoding (aka HttpServerDecoder) is broken is several parts:
      1) it make the assertion that PUT and POST request must have a non -zero length body. This is false, thing about REST request: an empty PUT request can be use to create a server initialized entry and an empty POST request can be used to change properties where the value is stored in the URL (/rest/1234/status/cancelled). In that case, an exception is thrown but the state is not reset so remaining decoding will fail
      2) it also make the assumption that only PUT and POST request can have a body where I can't find a significant case but I tried a GET request with a body on Google (GPE), Microsoft (IIS) and Apache (Apache) and Google was the only server to reject the request as malformed.

        Activity

        Hide
        vrm Julien Vermillard added a comment -

        Agreeing on empty content, but for content on GET I'm not really sure we want to authorize that.

        Reading the RFC http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.3 I feel like it's not a good use case, but I wonder if it's really forbidden.

        Perhaps we should support that and let the user code ignore.

        Show
        vrm Julien Vermillard added a comment - Agreeing on empty content, but for content on GET I'm not really sure we want to authorize that. Reading the RFC http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.3 I feel like it's not a good use case, but I wonder if it's really forbidden. Perhaps we should support that and let the user code ignore.
        Hide
        jeffmaury Jeff MAURY added a comment -

        Patch + test on 2.0 branch

        Show
        jeffmaury Jeff MAURY added a comment - Patch + test on 2.0 branch
        Hide
        elecharny Emmanuel Lecharny added a comment -

        We should accept BODY within a GET request. As Roy Fielding says in http://stackoverflow.com/questions/978061/http-get-with-request-body :
        " Server semantics for GET, however, are restricted such that a body, if any, has no semantic meaning to the request. The requirements on parsing are separate from the requirements on method semantics."
        "So, yes, you can send a body with GET, and no, it is never useful to do so."

        Show
        elecharny Emmanuel Lecharny added a comment - We should accept BODY within a GET request. As Roy Fielding says in http://stackoverflow.com/questions/978061/http-get-with-request-body : " Server semantics for GET, however, are restricted such that a body, if any, has no semantic meaning to the request. The requirements on parsing are separate from the requirements on method semantics." "So, yes, you can send a body with GET, and no, it is never useful to do so."
        Hide
        jeffmaury Jeff MAURY added a comment -

        The patch I sent is full tolerant for body: all methods can have a body, it is to the user to decide what to do with it

        Show
        jeffmaury Jeff MAURY added a comment - The patch I sent is full tolerant for body: all methods can have a body, it is to the user to decide what to do with it
        Hide
        elecharny Emmanuel Lecharny added a comment -

        Patch applied in http://svn.apache.org/viewvc?rev=1413650&view=rev.

        Thanks for it !

        Show
        elecharny Emmanuel Lecharny added a comment - Patch applied in http://svn.apache.org/viewvc?rev=1413650&view=rev . Thanks for it !

          People

          • Assignee:
            Unassigned
            Reporter:
            jeffmaury Jeff MAURY
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development