Mercurial > hg-stable
changeset 36861:2cdf47e14c30
hgweb: refactor the request draining code
The previous code for draining was only invoked in a few places in
the wire protocol. Behavior wasn't consist. Furthermore, it was
difficult to reason about.
With us converting the input stream to a capped reader, it is now
safe to always drain the input stream when its size is known because
we can never overrun the input and read into the next HTTP request.
The only question is "should we?"
This commit changes the draining code so every request is examined.
Draining now kicks in for a few requests where it wouldn't before.
But I think the code is sufficiently restricted so the behavior is
safe. Possibly the most dangerous part of this code is the issuing
of Connection: close for POST and PUT requests that don't have a
Content-Length. I don't think there are any such uses in our WSGI
application, so this should be safe.
In the near future, I plan to significantly refactor the WSGI
response handling. I anticipate this code evolving a bit. So any
minor regressions around draining or connection closing behavior
might be fixed as a result of that work.
All tests pass with this change. That scares me a bit because it
means we are lacking low-level tests for the HTTP protocol.
Differential Revision: https://phab.mercurial-scm.org/D2769
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Sat, 10 Mar 2018 11:03:45 -0800 |
parents | 290fc4c3d1e0 |
children | 1f7d9024674c |
files | mercurial/hgweb/request.py mercurial/wireprotoserver.py |
diffstat | 2 files changed, 47 insertions(+), 24 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/hgweb/request.py Sat Mar 10 10:48:34 2018 -0800 +++ b/mercurial/hgweb/request.py Sat Mar 10 11:03:45 2018 -0800 @@ -254,12 +254,6 @@ self.server_write = None self.headers = [] - def drain(self): - '''need to read all data from request, httplib is half-duplex''' - length = int(self.env.get('CONTENT_LENGTH') or 0) - for s in util.filechunkiter(self.inp, limit=length): - pass - def respond(self, status, type, filename=None, body=None): if not isinstance(type, str): type = pycompat.sysstr(type) @@ -292,6 +286,53 @@ elif isinstance(status, int): status = statusmessage(status) + # Various HTTP clients (notably httplib) won't read the HTTP + # response until the HTTP request has been sent in full. If servers + # (us) send a response before the HTTP request has been fully sent, + # the connection may deadlock because neither end is reading. + # + # We work around this by "draining" the request data before + # sending any response in some conditions. + drain = False + close = False + + # If the client sent Expect: 100-continue, we assume it is smart + # enough to deal with the server sending a response before reading + # the request. (httplib doesn't do this.) + if self.env.get(r'HTTP_EXPECT', r'').lower() == r'100-continue': + pass + # Only tend to request methods that have bodies. Strictly speaking, + # we should sniff for a body. But this is fine for our existing + # WSGI applications. + elif self.env[r'REQUEST_METHOD'] not in (r'POST', r'PUT'): + pass + else: + # If we don't know how much data to read, there's no guarantee + # that we can drain the request responsibly. The WSGI + # specification only says that servers *should* ensure the + # input stream doesn't overrun the actual request. So there's + # no guarantee that reading until EOF won't corrupt the stream + # state. + if not isinstance(self.inp, util.cappedreader): + close = True + else: + # We /could/ only drain certain HTTP response codes. But 200 + # and non-200 wire protocol responses both require draining. + # Since we have a capped reader in place for all situations + # where we drain, it is safe to read from that stream. We'll + # either do a drain or no-op if we're already at EOF. + drain = True + + if close: + self.headers.append((r'Connection', r'Close')) + + if drain: + assert isinstance(self.inp, util.cappedreader) + while True: + chunk = self.inp.read(32768) + if not chunk: + break + self.server_write = self._start_response( pycompat.sysstr(status), self.headers) self._start_response = None
--- a/mercurial/wireprotoserver.py Sat Mar 10 10:48:34 2018 -0800 +++ b/mercurial/wireprotoserver.py Sat Mar 10 11:03:45 2018 -0800 @@ -301,9 +301,6 @@ wsgireq.respond(HTTP_OK, HGTYPE, body=rsp) return [] elif isinstance(rsp, wireprototypes.pusherr): - # This is the httplib workaround documented in _handlehttperror(). - wsgireq.drain() - rsp = '0\n%s\n' % rsp.res wsgireq.respond(HTTP_OK, HGTYPE, body=rsp) return [] @@ -316,21 +313,6 @@ def _handlehttperror(e, wsgireq, req): """Called when an ErrorResponse is raised during HTTP request processing.""" - # Clients using Python's httplib are stateful: the HTTP client - # won't process an HTTP response until all request data is - # sent to the server. The intent of this code is to ensure - # we always read HTTP request data from the client, thus - # ensuring httplib transitions to a state that allows it to read - # the HTTP response. In other words, it helps prevent deadlocks - # on clients using httplib. - - if (req.method == 'POST' and - # But not if Expect: 100-continue is being used. - (req.headers.get('Expect', '').lower() != '100-continue')): - wsgireq.drain() - else: - wsgireq.headers.append((r'Connection', r'Close')) - # TODO This response body assumes the failed command was # "unbundle." That assumption is not always valid. wsgireq.respond(e, HGTYPE, body='0\n%s\n' % pycompat.bytestr(e))