[Zope-dev] Re: ZServer response RFC compliance improvement

Jens Vagelpohl jens at dataflake.org
Tue Aug 23 15:48:21 EDT 2005

On 22 Aug 2005, at 21:55, Michael Dunstan wrote:

> On 8/22/05, Tres Seaver <tseaver at palladion.com> wrote:
>> Are we sure that we won't be breaking the rather large possible  
>> set of
>> installed servers running behind Apache 1.3.x with the bug for which
>> adding the content length was a workaround?
> I understand that this bug was resolved in Apache 1.3.27 [1]. Which is
> a few years old now. And outdated by several security releases since
> then.

 From my reading of http://www.apacheweek.com/issues/02-10-04 this  
issue only existed in 1.3.26:

In 1.3.26, a null or all-blank Content-Length triggers an error  
although previous versions would silently ignore it and assume 0  
length. 1.3.27 restores this previous behaviour.

The other content-length-related issue actually seems to imply it is  
better to leave the header out of 304 responses, because Apache would  
"mis-use" the header and apply its value to cached content:

Some fixes to mod_proxy. The cache was incorrectly updating the  
Content-Length from 304 responses when doing validation. Also fix a  
problem where headers from other modules were added to the response  
headers when this was done in the core already.

> Also OFS.Image been patched as of Zope 2.7.1 [2] in such a way that it
> would have already tripped a combination of old-ish Apache and new-ish
> Zope. Though ZServer was still throwing in a "Content-Length: 0".
> (Which I read as sufficient to provoke the bug in Apache < 1.3.27.)

Yes, both issues mentioned above actually, from the way I read that  

This setting could be manipulated via a zope.conf directive, but from  
the evidence it seems the maintenance/administrative annoyance of  
adding yet another knob for something that seems to carry no risk  
might not be worth it. I'd still plead for including it the way it is.


More information about the Zope-Dev mailing list