'Bug#45241: kpf does not handle HTTP version numbers correctly'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-bugs-dist
Subject:    Bug#45241: kpf does not handle HTTP version numbers correctly
From:       jju () dif ! dk
Date:       2002-07-15 16:22:02
[Download RAW message or body]

Package: kpf
Version: KDE 3.0.6 CVS/CVSup/Snapshot
Severity: normal
Installed from:    Compiled sources
Compiler:          gcc 2.95.3
OS:                Linux
OS/Compiler notes: Not Specified

kpf does not send version numbers in HTTP responses correctly. 

Example 1:

Client sends:
HEAD / HTTP/1.3

Server responds with:
HTTP/1.3 200 OK
<irrelevant headers removed>


Example 2:

Client sends:
HEAD / HTTP/3.2

Server responds with:
HTTP/3.2 200 OK
<irrelevant headers removed>


If you read the HTTP/1.1 RFC (RFC 2616) and the HTTP Version Numbers RFC (RFC 2145), \
then it becomes clear that what happens in the two examples above is not correct. The \
server must never respond with a HTTP version that it does not support (which makes \
sense, since how can it possibly know it is sending a correctly formatted message). \
Let me quote a bit from RFC 2145 section 2.3 : 

"An HTTP server SHOULD send a response version equal to the highest
   version for which the server is at least conditionally compliant, and
   whose major version is less than or equal to the one received in the
   request.  An HTTP server MUST NOT send a version for which it is not
   at least conditionally compliant.  A server MAY send a 505 (HTTP
   Version Not Supported) response if cannot send a response using the
   major version used in the client's request."

So, the correct response in Example 1 is

HTTP/1.1 200 OK

(followed by a HTTP/1.1 formatted message ofcourse) since HTTP/1.1 is the highest \
version of HTTP with which the server is at least conditionally complient.


In example 2 the server has two choices. Since the major version of the request is \
greater than the one the server supports it is allowed to respond with a 505 (HTTP \
Version Not Supported) status code, and that would IMHO be the right thing to do \
since the server has no way of knowing if it can correctly interpret the message the \
client sends (even it it looks like a message conforming to a lower version).  It \
/may/ also choose to respond in a lower version than the request, but it /should/ not \
do so for HTTP/1.1 requests and above (better to send the 505) - again a quote from \
RFC 2145 to clarify:  "An HTTP server MAY send a lower response version, if it is \
known or  suspected that the client incorrectly implements the HTTP
   specification, but this should not be the default, and this SHOULD NOT be done if \
the request version is HTTP/1.1 or greater.".

So, the response in example 2 really should be 

HTTP/1.1 505 HTTP Version Not Supported

Read up on 505 in RFC 2616


In the above I assume that kpf tries to be at least conditionally compliant with \
HTTP/1.1

For your convenience, here are links to the mentioned RFC's : 

http://www.ietf.org/rfc/rfc2616.txt
http://www.ietf.org/rfc/rfc2145.txt


Regards,
Jesper Juhl - jju@dif.dk


(Submitted via bugs.kde.org)


(Complete bug history is available at http://bugs.kde.org/db/45/45241.html)


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic