[Web-SIG] Most WSGI servers close connections to early.
P.J. Eby
pje at telecommunity.com
Wed Sep 22 19:00:13 CEST 2010
At 08:34 AM 9/22/2010 -0700, Robert Brewer wrote:
>Marcel Hellkamp wrote:
> > I would like to add a warning to the WSGI/web3 specification to address
> > this issue:
> >
> > "An application should read all available data from
> > `environ['wsgi.input']` on POST or PUT requests, even if it does not
> > process that data. Otherwise, the client might fail to complete the
> > request and not display the response."
>
>Indeed. CherryPy has protected against this for some time. But it
>shouldn't be the burden of *applications* to do this; the WSGI
>"origin" server can do so quite easily.
>
>However, the caveat requires a caveat: servers must still be able to
>protect themselves from malicious clients. In practice, that means
>allowing servers to close the connection without reading the entire
>request body if a certain number of bytes is exceeded.
We can certainly add warnings, although these are both more of a
"best practices" advisory rather than a part of the spec per se.
More information about the Web-SIG
mailing list