[Ietf-caldav] Re: draft-reschke-http-addmember-00

Jamie Lokier jamie at shareable.org
Mon Feb 21 13:32:47 PST 2005


Geoffrey M Clemm wrote:
>    My main concern is that because of the popularity of SOAP,
>    many/most implementations fall into category 2b (i.e., "clueless"),
>    so a resource will say that it supports the POST operation,
>    but will actually fail it with some kind of 4xx response
>    because it cannot parse the body, or in the worst case,
>    will successfully parse the body and execute some potentially
>    harmful SOAP operation that was never intended by the client
>    (the client just wanted a subsidiary whose content was that body
>    to be created).
..
>    I'm rather surprised that clueless (e.g., SOAP :-) implementations
>    would parse the body of an unknown method (e.g., ADDMEMBER)
>    and treat it as if it were a POST call.

Yes...  I have seen numerous CGI implementations which parse a request
as GET or POST, even if it has another method.

>    But even if a clueless implementation will try to parse the
>    body of an unknown method like ADDMEMBER, I assume it is very
>    unlikely that it would say that it supports the ADDMEMBER
>    method on that resource, so that at least would give the client
>    a way of avoiding the problem (i.e., by first asking the resource
>    if it supports the ADDMEMBER function, before attempting it).

I think that's a reasonable assumption.

But you should always try to avoid accessing unknown resources, even
to query their capabilities:  There are implementations where sending
OPTIONS to them will be interpreted as a POST or stateful GET :)

-- Jamie


More information about the Ietf-caldav mailing list