ZServer response RFC compliance improvement
Hi everyone, I'd like to get the zserver-content-length.patch createed by dunny in this collector issue: http://www.zope.org/Collectors/Zope/1866/collector_issue_contents merged into the Zope 2.7/2.8 branches and the trunk. It ensures that certain classes of responses (e.g. 304) correctly leave out the content-length header. Can anyone seee a valid reason for not merging it in? jens
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jens Vagelpohl wrote:
I'd like to get the zserver-content-length.patch createed by dunny in this collector issue:
http://www.zope.org/Collectors/Zope/1866/collector_issue_contents
merged into the Zope 2.7/2.8 branches and the trunk. It ensures that certain classes of responses (e.g. 304) correctly leave out the content-length header. Can anyone seee a valid reason for not merging it in?
Are we sure that we won't be breaking the rather large possible set of installed servers running behind Apache 1.3.x with the bug for which adding the content length was a workaround? If the header only affects Safari / Konqueror (in practice), then this is *not* a pure win, if there are a significant number of affected servers in production. We should probably look at adding a zope.conf switch for this behavior, and leave the header in place by default for 2.7.x and 2.8.x. We could default it off for the trunk, with a commented-out entry showing how (and why) to reenable it, and deprecate that setting through 2.10 or something. Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDCNvf+gerLs4ltQ4RAmKVAJsF1l/+962zjvpS6EdQz5OHZ1LPtwCguI0D SyOAlav7XSbe7r+B2Wum+MI= =Zs8U -----END PGP SIGNATURE-----
On 8/22/05, Tres Seaver <tseaver@palladion.com> wrote:
Are we sure that we won't be breaking the rather large possible set of installed servers running behind Apache 1.3.x with the bug for which adding the content length was a workaround?
I understand that this bug was resolved in Apache 1.3.27 [1]. Which is a few years old now. And outdated by several security releases since then. Also OFS.Image been patched as of Zope 2.7.1 [2] in such a way that it would have already tripped a combination of old-ish Apache and new-ish Zope. Though ZServer was still throwing in a "Content-Length: 0". (Which I read as sufficient to provoke the bug in Apache < 1.3.27.) [1] http://www.apacheweek.com/issues/02-10-04 [2] http://cvs.zope.org/Zope/lib/python/OFS/Attic/Image.py?hideattic=0&only_with...
On 22 Aug 2005, at 21:55, Michael Dunstan wrote:
On 8/22/05, Tres Seaver <tseaver@palladion.com> wrote:
Are we sure that we won't be breaking the rather large possible set of installed servers running behind Apache 1.3.x with the bug for which adding the content length was a workaround?
I understand that this bug was resolved in Apache 1.3.27 [1]. Which is a few years old now. And outdated by several security releases since then.
From my reading of http://www.apacheweek.com/issues/02-10-04 this issue only existed in 1.3.26: """ In 1.3.26, a null or all-blank Content-Length triggers an error although previous versions would silently ignore it and assume 0 length. 1.3.27 restores this previous behaviour. """ The other content-length-related issue actually seems to imply it is better to leave the header out of 304 responses, because Apache would "mis-use" the header and apply its value to cached content: """ Some fixes to mod_proxy. The cache was incorrectly updating the Content-Length from 304 responses when doing validation. Also fix a problem where headers from other modules were added to the response headers when this was done in the core already. """
Also OFS.Image been patched as of Zope 2.7.1 [2] in such a way that it would have already tripped a combination of old-ish Apache and new-ish Zope. Though ZServer was still throwing in a "Content-Length: 0". (Which I read as sufficient to provoke the bug in Apache < 1.3.27.)
Yes, both issues mentioned above actually, from the way I read that text. This setting could be manipulated via a zope.conf directive, but from the evidence it seems the maintenance/administrative annoyance of adding yet another knob for something that seems to carry no risk might not be worth it. I'd still plead for including it the way it is. jens
participants (3)
-
Jens Vagelpohl -
Michael Dunstan -
Tres Seaver