On Wed, Jun 09, 2004 at 09:21:07AM -0700, Rasmus Lerdorf wrote: > Don't see that anywhere. Either eaten by spam filters or a gerbil. > > Anyway, I don't understand why this would have broken mod_dav. If mod_dav > wants a keepalive connection it should determine this prior to the ap_die > and set conn->keepalive to 1. Or am I missing something with respect to > what mod_dav is doing here? I suppose we could add an ugly exception for > a PROPFIND here, but I'd like to make sure that is actually needed.
>From my debugging: mod_dav doesn't actually get involved at all, the check_user_id handler from the auth module returns AUTH_REQUIRED for the request, and ap_set_keepalive is not called before ap_die is invoked in that case. r->connection->keepalive has never been changed from 0 when the test in question is reached - it's called later by ap_send_error_response, but that's too late. > Without this patch non-keepalive connections are not being dropped when we > know there is nothing more to do. For example, on a server that doesn't > allow POST someone can POST to it and it will happily sit there and read > the entire POST request. This defeats the purpose of adding a Limit POST > and introduces a DoS. Same for a 404 or any other error handler. I can > POST to a bogus URL and Apache will read the entire POST request even > though we know it is a 404 at this point and that we can safely discard > the request body. I don't think releasing .32 without addressing this > issue is a good idea.
