Agreed.
>Also this really has nothing to do with denial of service which can be
>done in lots of ways more easily than using chunking.
One of many is still one. It is the reason that this is hard to
implement correctly on a general-purpose server. If it wasn't for that
reason I would have implemented it last year for 1.2.
>I am not sure what recourse people have at this point. You could try
>to persuade Apache developers to implement this feature. I am not
>sure if it would be possible to write an Apache module to do this.
A configurably limited input buffer that redirects the request body
before calling the script could either be implemented in the core
(where dechunking is already being done) or within a mod_cgi replacement
(duplicates effort, but certainly do-able). OTOH, it is easier to just
implement IPP as a module.
>You could also try to support a new version of the CGI spec which would
>permit CGI to take chunked input. Neither of these would deal with the
>existing base of installed servers, though.
Just replace mod_cgi with something that passes chunked to the script --
it is only a one word change, but requires scripts that can parse chunked.
>But the one thing which does seem clear is that no change or
>clarification in the HTTP spec can can help.
>
>In that regard, I would suggest that a server which rejects chunked
>message-body but returns a 200 status is not in compliance with the
>spec as it stands now.
Yep, since the status shouldn't be OK if the action wasn't successfully
performed, and you can't perform a POST successfully without understanding
the request body.
....Roy