Skip to content

Ignore response body if status code doesn't allow a body #202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
digitalresistor merged 6 commits into from
Sep 6, 2018
Merged

Ignore response body if status code doesn't allow a body #202

digitalresistor merged 6 commits into from
Sep 6, 2018

Conversation

@digitalresistor
Copy link
Member

@digitalresistor digitalresistor commented Sep 1, 2018

This is a follow-up to #166 and fixes the issue presented in #197.

This goes a step further than just making sure waitress doesn't generate any extra headers/content, it also removes it even if the application sent data it shouldn't have. This will help make sure that message bodies are not accidentally sent with HTTP status codes that SHOULD NOT contain message bodies.

Closes #197

@digitalresistor
Add new has_body property
fa2d2e0 
This is used to test if a response should have a message body or not.
1xx, 204 and 304 should not have message bodies.
@digitalresistor
Add test for 304 Not Modified
fb7dfe9
@digitalresistor
Test that sending message body on HTTP code 204/304
a03e854 
This shouldn't be allowed.
@digitalresistor
Make sure wasyncore tests don't fail on MacOS
5ca4aa4
@digitalresistor
Ignore body for status codes that don't have a body
f9ad8bb 
For responses that should not include a message body, we now explicitly
ignore the body from the application and no longer send it on to the
requesting client.

We also log a warning to let developers/users know.
This was referenced Sep 1, 2018
Merged
Closed
mmerickel
mmerickel reviewed Sep 1, 2018
View reviewed changes
waitress/task.py
content_length_header = headerval
else:
del response_headers[i]
continue # pragma: no cover
Copy link
Member

@mmerickel mmerickel Sep 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deletion while iteration - sure this is ok?

Copy link
Member Author

@digitalresistor digitalresistor Sep 4, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do the same thing here: https://github.com/Pylons/waitress/pull/202/files/f9ad8bbb56aab91dd2847e4137b0e94bea1791c8#diff-6965458a8fd3a611b9b9d416d9cdff67L277

and that code has been around for years.

Copy link
Member Author

@digitalresistor digitalresistor Sep 4, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess I need to find out if enumerate creates a copy of the list or if it iterates over the list internally.

Copy link
Member Author

@digitalresistor digitalresistor Sep 4, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will break in subtle ways if there is more than one Content-Length header set (which is illegal, but possible)

Copy link
Member

@tseaver tseaver Sep 4, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW, enumerate has generator semantics (see PEP 279).

Copy link
Member Author

@digitalresistor digitalresistor Sep 4, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then the other code and this code are both subtly broken... will fix

@digitalresistor
Rewrite removal of item from response_headers
508570d 
We don't want to delete items from a list while iterating over the list.
digitalresistor
digitalresistor commented Sep 6, 2018
View reviewed changes
waitress/task.py
if not date_header:
response_headers.append(('Date', build_http_date(self.start_time)))

self.response_headers = response_headers
Copy link
Member Author

@digitalresistor digitalresistor Sep 6, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not strictly required in this function, but required for testing.

@digitalresistor digitalresistor merged commit 4ce8f82 into master Sep 6, 2018
@digitalresistor digitalresistor deleted the body-less-304 branch September 6, 2018 04:42
digitalresistor added a commit that referenced this pull request Sep 6, 2018
@digitalresistor
Update CHANGES.txt for #202
49cfd93
@pyup-bot pyup-bot mentioned this pull request Jun 30, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tseaver tseaver tseaver left review comments

@mmerickel mmerickel mmerickel left review comments

@mcdonc mcdonc Awaiting requested review from mcdonc

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

An illegal '0' character is appended to a 304 Not Modified Response

4 participants

@digitalresistor @tseaver @mmerickel