[Web-SIG] Most WSGI servers close connections to early.

Robert Brewer fumanchu at aminus.org
Wed Sep 22 17:34:10 CEST 2010 

Marcel Hellkamp wrote:
> I just discovered a problem that affects most WSGI server
> implementations and most current web-browsers (tested with wsgiref,
> paste, firefox, chrome, wget and curl):
> 
> If the server closes the connection while the client is still uploading
> data via POST or PUT, the browser displays an error message
> ('Connection
> closed') and does not display the response sent by the server.
> 
> The error occurs if an application chooses to not process a form
> submissions before returning to the WSGI server. This is quite rare in
> real world scenarios, but hard to debug because the server logs the
> request as successfully sent to the client.
> 
> To reproduce the problem, run the following script, visit
> http://localhost:8080/ and upload a big file::
> 
> 
> 
> from wsgiref.simple_server import make_server
> 
> def application(environ, start_response):
>     start_response('200 OK', [('Content-Type', 'text/html')])
>     return ["""
>     <form method='post' enctype='multipart/form-data'>
>       Upload bog file:
>       <input type='file' name='file' />
>       <input type='submit' />
>     </form>
>     """]
> 
> server = make_server('localhost', 8080, application)
> server.serve_forever()
> 
> 
> 
> 
> I would like to add a warning to the WSGI/web3 specification to address
> this issue:
> 
> "An application should read all available data from
> `environ['wsgi.input']` on POST or PUT requests, even if it does not
> process that data. Otherwise, the client might fail to complete the
> request and not display the response."

Indeed. CherryPy has protected against this for some time. But it shouldn't be the burden of *applications* to do this; the WSGI "origin" server can do so quite easily.

However, the caveat requires a caveat: servers must still be able to protect themselves from malicious clients. In practice, that means allowing servers to close the connection without reading the entire request body if a certain number of bytes is exceeded.


Robert Brewer
fumanchu at aminus.org

More information about the Web-SIG mailing list