[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#388443: apache2: MUST NOT send data in an 304 reply

On Sun, Nov 12, 2006 at 03:21:36PM +0100, Thijs Kinkhorst wrote:
> severity 388443 wishlist
> forwarded 388443 http://issues.apache.org/bugzilla/show_bug.cgi?id=40953
> thanks
> Hi,
> Christoph Biedl wrote:
> > > > 
> > > > | <?php
> > > > | header('HTTP/1.0 304 Not Modified');
> > > > | ?>
> > > 
> > > While I can see the argument that apache should perhaps be trimming its
> > 
> > See the RfC. It is not "apache should perhaps", it is "apache must".
> I disagree with your interpretation of the RFC here. I think it's
> "apache should" and "the script must" in this case. When Apache runs a
> CGI or PHP script, it essentially passes off the responsibility of
> RFC-compliant output on to the script in question. 

This is _not_ a question about the format of the output but about the
transport protocol and hence the responsibility of the server.

> There's many other
> incompliant things, like misspelled headers, a script can send, but
> Apache doesn' stop it from doing that. It's ultimately the script's
> responsibility.

No. Sending misspelled hearders only affects the current request.
Sending content in a situation where no content is allowed  affects the
next request(s) [and might well be a security problem].

> It could, of course. But that's wishlist. I've filed such a request for
> enhancement upstream.

No. Apache _has_ to ensure _transport_ protocol conformance as much as
the kernel has to enshure that applications can't send IP packets once a
socket is closed.

 Cheers, Ralf Mattes 
> Thijs

Reply to: