Re: ERROR verb

[Asbjørn Ulsberg <asbjorn@xxxxxxxxxxxxxx>]

On Sat, 19 Jun 2004 09:03:29 -0700, Walter Underwood <wunder@xxxxxxxxxx>  
wrote:

> I also thought about adding some sort of error notification
> back to the HTTP server. But I didn't like it.
>
> It is a big opening for denial of service attacks, filling up
> the log with bogus notifications. I can't imagine anyone leaving
> that open on a public server.

Uhm. What in the world gives you the idea that logging the word 'ERR'  
besides the request information is harder on the server than logging 'GET'  
or 'POST' alongside the exact same information? ERR gets treadet the exact  
same way as GET and POST -- by default[1]. The non-default way would be to  
either not log the request, or to handle it in a special way.

Special handling is done regularly on GET requests. Nearly all  
databse-driven websites do this. They dynamically spit out something based  
on query parameters. How can an ERR request be more DoS-vulnerable than  
dynamic GET requests?

> If Atom requires this, we need to address the DoS vulnerability.

Atom would not require anything of this sort, imho. But a method of error  
notificatin SHOULD be provided and SHOULD be implemented in clients. It  
MAY also be implemented in servers, if it's necessary or people find it  
useful. If not, the ERR either just gets logged, or just goes away. E.g.,  
no harm done.

____
[1] «Default» being current practice.

--
Asbjørn Ulsberg         -=|=-        asbjornu@xxxxxxxxxxx
«He's a loathsome offensive brute, yet I can't look away»