Marcel Hellkamp wrote: > I just discovered a problem that affects most WSGI server > implementations and most current web-browsers (tested with wsgiref, > paste, firefox, chrome, wget and curl): > > If the server closes the connection while the client is still uploading > data via POST or PUT, the browser displays an error message > ('Connection > closed') and does not display the response sent by the server. > > The error occurs if an application chooses to not process a form > submissions before returning to the WSGI server. This is quite rare in > real world scenarios, but hard to debug because the server logs the > request as successfully sent to the client. > > To reproduce the problem, run the following script, visit > http://localhost:8080/ and upload a big file:: > > > > from wsgiref.simple_server import make_server > > def application(environ, start_response): > start_response('200 OK', [('Content-Type', 'text/html')]) > return [""" > <form method='post' enctype='multipart/form-data'> > Upload bog file: > <input type='file' name='file' /> > <input type='submit' /> > </form> > """] > > server = make_server('localhost', 8080, application) > server.serve_forever() > > > > > I would like to add a warning to the WSGI/web3 specification to address > this issue: > > "An application should read all available data from > `environ['wsgi.input']` on POST or PUT requests, even if it does not > process that data. Otherwise, the client might fail to complete the > request and not display the response."
Indeed. CherryPy has protected against this for some time. But it shouldn't be the burden of *applications* to do this; the WSGI "origin" server can do so quite easily. However, the caveat requires a caveat: servers must still be able to protect themselves from malicious clients. In practice, that means allowing servers to close the connection without reading the entire request body if a certain number of bytes is exceeded. Robert Brewer fuman...@aminus.org _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com