New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Puma 6 hard-codes "allowed" HTTP methods #3014
Comments
I think we could add a note about this in the upgrade guide/history under breaking changes. However, any support of non-standard HTTP verbs prior to Puma 6 was completely accidental. When considering how Puma should react, RFC 9110 lists the 8 standard methods, so that's how we implemented this. IMO HTTP methods are not a 100% Rack-level concern so it's Puma's job to make sure that we handle HTTP methods correctly. Supporting arbitrary methods is therefore not good. |
What about allowing the user to specify methods that should also be considered supported? If the user knows their rack app can handle it. I actually had the thought that this was a breaking change but I failed to come up with a valid use case so I never said anything in the PR. |
The RFC as I interpret it doesn't say that the HTTP methods listed are required to be the only methods (only that GET and HEAD are required and the rest are optional). It says I should respond with 501 only if the origin server does not recognize or does not implement the method. I think the ambiguity is who's in charge of making that determination, puma or the web app. Since puma is primarily used for highly customized programming, I feel like it should be the responsibility of the web application, not the HTTP server, to make this determination because in my use case, I do recognize the method and can handle it. If this was causing a major security problem I might have a different opinion (but would probably still do the implementation upstream with something like nginx), but failing that check I think it's reasonable to move back to the original behavior and allow the web application to decide how to handle irregular methods. |
Correct. See Hypertext Transfer Protocol (HTTP) Method Registry, note that there are RFC's for all the additional methods. Both PROPFIND and MKCOL are listed there. See RFC9110 16.1 Method Extensibility Maybe a good option would be to leave the code as is, and add an option like 'http-methods-extended', which would add the methods in the registry? @kyledrake are you using methods that are not defined in the registry? |
I'm not using anything "non-standard" that WebDAV wouldn't use. And frankly if I had designed WebDAV it would have used the common HTTP methods and/or been designed a lot better. 🙃 |
To clarify, all the "non-standard" methods you're using are listed in Hypertext Transfer Protocol (HTTP) Method Registry? |
All of the methods I am using are in that list, correct. |
I would like to work on a PR for this issue. 😉 Which option would work best in your opinion?
I started working on tests and implementation, but I would love your opinion on which design would be the best. 🙏 |
I like 2 best |
I just found the code I started for this, which defines two constants in Thoughts? Not sure about method/const naming, or point 2 above by @francois-ferrandis I think I wanted to bench whether it was better to create hashes or arrays. Or, what's faster, SUPPORTED_HTTP_METHODS = %w[HEAD GET POST PUT DELETE OPTIONS TRACE PATCH].sort.freeze
# see https://www.iana.org/assignments/http-methods/http-methods.xhtml
# updated 07-Nov-2022
EXTENDED_HTTP_METHODS = %w[
# list from the registry
] |
I'm not sure I was 100% right here. Now that I'm seeing the alternative in #3041, I think maybe I made a mistake saying we should not accept all HTTP methods. Adding this extra config point seems pretty fiddly, and I guess I was surprised with how many people depended on the non-standard HTTP methods. |
I think it is useful to keep the config option, in order to address what was requested in #1441, to reject requests that your app doesn't support The default could be changed though, to accept any method. Would we have to wait until Puma 7 for that? |
I have to agree, I feel like puma should accept any method by default. I will gladly close PR #3041 if all that complexity is not needed. 🧹
I can't seem to find where that need was expressed, is it really puma's responsibility or could it be left to puma users to handle that themselves? Genuine question here. 🙃
I am also curious about versioning and communication. It is unclear to me how these decisions are made, where can I find more info on the project's governance? Thank you all for your time. 🙏 |
It comes from #1441, an issue reported in 2017 for Puma 3.10.0. In 2021, Nate commented on it and PR #2932 followed in 2022. You can trigger the issue like this:
Make the PROXY request (using
Puma 5 will log
Puma 6 will log
Puma 6 also logs I think I misunderstood #1441, I thought it was much easier to trigger the |
That context is very helpful @dentarg. Let me think about it some more... |
@nateberkopec Another thing to consider is that Puma has now turned
|
See comment #3106 (comment) |
Hm? Not sure what you're referring too there, as PROPFIND is a method for WEBDAV. It's possible you have to preflight that, but the PROPFIND method itself is a WEBDAV thing. |
@nateberkopec You are right! I got PROPFIND mixed up with OPTIONS, I'll remove my comment to avoid confusion. |
Puma 6 has introduced a SUPPORTED_HTTP_METHODS constant and a check which fails other methods:
puma/lib/puma/request.rb
Line 94 in 3d33475
This will break, at a bare minimum, WebDAV implementations behind Puma, which use methods like PROPFIND and MKCOL.
I'm not sure what the "correct" approach here is, but we did have a working WebDAV implementation that is no longer working with Puma 6 and I've had to downgrade for now to figure out how to deal with this for the time being.
The text was updated successfully, but these errors were encountered: