-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aiohttp may respond to requests sent after the client asks for the connection to be closed #8087
Comments
Connection: close
is present
That error is from the Python parser. With llhttp, you get the more accurate: |
For the server, it merely says that it should not process further requests. It does not say it should process the previous request. So, I think tweaking the Python parser to match the llhttp error is fine. |
I suppose this might be technically allowable, but it's pretty unintuitive in my opinion. I would assume that data received after a connection has been declared closed should not invalidate previous valid messages sent on that connection. I've since tested this on many more HTTP implementations. These ones reject the second request without responding to the first:
These ones respond to the first request and ignore the second because the connection is closed:
Given the behavior of other implementations, it's probably worth at least documenting that AIOHTTP handles things differently. |
As we use llhttp, if you convince Node.js to change behaviour, then we'll update the Python parser to match. But, it'd be weird to have different behaviour depending on the parser used. Given that the client in this case has violated the HTTP protocol, I don't think it really matters whether the behaviour is intuitive or not, it should never be encountered by an HTTP client. |
Describe the bug
From RFC 9112, section 9.6:
When aiohttp receives a pipeline with a request containing
Connection: close
, followed by an invalid request, aiohttp responds only to the second (invalid) request, even though the standard requires that aiohttp respond only to the first one.To Reproduce
Connection: close
set, followed by an invalid request:Expected behavior
The server should respond only to the first request, and then close the connection.
Logs/tracebacks
Python Version
aiohttp Version
multidict Version
yarl Version
OS
Debian 12 (running in Docker on Arch Linux)
Linux 6.7.2
Related component
Server
Additional context
Some other HTTP implementations that handle this correctly:
Apache httpd, Boost::Beast, Daphne, H2O, Lighttpd, Nginx, Tornado, OpenWrt uhttpd, Waitress
Some other HTTP implementations that also have this bug:
Mongoose, Uvicorn
Code of Conduct
The text was updated successfully, but these errors were encountered: