At 08:34 AM 9/22/2010 -0700, Robert Brewer wrote:
Marcel Hellkamp wrote:
> I would like to add a warning to the WSGI/web3 specification to address
> this issue:
>
> "An application should read all available data from
> `environ['wsgi.input']` on POST or PUT requests, even if it does not
> process that data. Otherwise, the client might fail to complete the
> request and not display the response."
Indeed. CherryPy has protected against this for some time. But it
shouldn't be the burden of *applications* to do this; the WSGI
"origin" server can do so quite easily.
However, the caveat requires a caveat: servers must still be able to
protect themselves from malicious clients. In practice, that means
allowing servers to close the connection without reading the entire
request body if a certain number of bytes is exceeded.
We can certainly add warnings, although these are both more of a
"best practices" advisory rather than a part of the spec per se.
_______________________________________________
Web-SIG mailing list
Web-SIG@python.org
Web SIG: http://www.python.org/sigs/web-sig
Unsubscribe:
http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com
