Page MenuHomePhabricator
Create Task
Maniphest T24778

HTTP 400 when requesting a long URL
Closed, DeclinedPublic
Actions

Description

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html :
The HTTP protocol does not place any a priori limit on the length of a URI.

http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html :
The request could not be understood by the server due to malformed syntax.

Long URL is not a malformed syntax so we shouldn't respond with HTTP 400.

URL (produced by a user script):

http://zh.wikipedia.org/w/api.php?action=query&format=json&callback=CatNav.callback&titles=Category%3A%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E8%A1%8C%E6%94%BF%E5%8C%BA%E5%88%92%7CCategory%3A%E4%B8%AD%E5%9B%BD%E7%89%B9%E5%88%AB%E8%A1%8C%E6%94%BF%E5%8C%BA%7CCategory%3A%E4%BA%9A%E6%B4%B2%E5%9B%BD%E5%AE%B6%7CCategory%3A%E5%90%84%E7%A8%AE%E4%B8%BB%E9%A1%8C%E7%9A%84%E9%A0%81%E9%9D%A2%E5%88%86%E9%A1%9E%7CCategory%3A%E4%B8%AD%E5%9B%BD%E4%BC%81%E4%B8%9A%7CCategory%3A%E5%90%84%E5%9C%8B%E5%85%AC%E5%8F%B8%7CCategory%3A%E4%B8%AD%E5%9B%BD%E5%9C%B0%E7%90%86%E5%A4%A7%E5%8C%BA%7CCategory%3A%E4%B8%AD%E5%9B%BD%E7%BB%8F%E6%B5%8E%7CCategory%3A%E5%90%84%E5%9C%8B%E5%9C%B0%E7%90%86%7CCategory%3A%E4%B8%AD%E5%9B%BD%E8%A1%8C%E6%94%BF%E5%8C%BA%E5%88%92%7CCategory%3A%E5%9F%8E%E9%95%87%7CCategory%3A%E6%9D%B1%E4%BA%9E%E5%82%B3%E7%B5%B1%E6%96%87%E5%8C%96%7CCategory%3A%E6%9D%B1%E4%BA%9E%E6%96%87%E5%8C%96%E5%9C%88%7CCategory%3A%E5%90%84%E5%9C%8B%E9%9B%BB%E8%A6%96%7CCategory%3A%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%7CCategory%3A%E5%90%84%E5%9C%8B%E7%B5%84%E7%B9%94%7CCategory%3A%E4%BA%9E%E6%B4%B2%E8%AA%9E%E8%A8%80%7CCategory%3A%E5%90%84%E5%9C%8B%E8%AA%9E%E8%A8%80%7CCategory%3A%E9%87%91%E8%9E%8D%7CCategory%3A%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E5%90%84%E7%BA%A7%E8%A1%8C%E6%94%BF%E5%8C%BA%7CCategory%3A%E4%B8%AD%E5%9B%BD%E4%B8%80%E7%BA%A7%E8%A1%8C%E6%94%BF%E5%8C%BA%7CCategory%3A%E6%AD%A3%E7%9C%81%E9%83%A8%E7%BA%A7%7CCategory%3A%E5%85%AC%E5%8F%B8%7CCategory%3A%E8%B4%B8%E6%98%93%7CCategory%3A%E4%BE%9D%E5%9C%B0%E7%90%86%E4%BD%8D%E7%BD%AE%E6%9D%A5%E4%BD%9C%E7%9A%84%E5%88%86%E7%B1%BB%7CCategory%3A%E5%9B%BD%E5%AE%B6%7CCategory%3A%E8%AF%AD%E8%A8%80%7CCategory%3A%E5%9F%8E%E5%B8%82%7CCategory%3A%E7%94%B5%E8%A7%86%E5%8F%B0%7CCategory%3A%E4%BC%A0%E6%92%AD%E5%AD%A6%7CCategory%3A%E7%A4%BE%E4%BC%9A%7CCategory%3A%E4%BA%9A%E6%B4%B2%E5%9C%B0%E7%90%86%7CCategory%3A%E4%B8%AD%E5%8D%8E%E6%B0%91%E6%97%8F%7CCategory%3A%E6%BC%A2%E8%97%8F%E8%AA%9E%E7%B3%BB%7CCategory%3A%E5%8C%BA%E5%9F%9F%E5%9C%B0%E7%90%86%7CCategory%3A%E6%94%BF%E5%BA%9C%7CCategory%3A%E9%87%91%E8%9E%8D%E5%AD%A6%7CCategory%3A%E5%B8%82%E5%A0%B4%7CCategory%3A%E6%9C%8D%E5%8A%A1%7CCategory%3A%E7%BB%84%E7%BB%87%7CCategory%3A%E4%B8%AD%E5%9B%BD%E9%87%91%E8%9E%8D%E5%85%AC%E5%8F%B8%7CCategory%3A%E9%A6%99%E6%B8%AF%E6%8A%95%E8%B3%87%E5%8F%8A%E8%9E%8D%E8%B3%87&prop=categories&clshow=!hidden&cllimit=5000&requestid=Category%3A%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E8%A1%8C%E6%94%BF%E5%8C%BA%E5%88%92%7CCategory%3A%E4%B8%AD%E5%9B%BD%E7%89%B9%E5%88%AB%E8%A1%8C%E6%94%BF%E5%8C%BA%7CCategory%3A%E4%BA%9A%E6%B4%B2%E5%9B%BD%E5%AE%B6%7CCategory%3A%E5%90%84%E7%A8%AE%E4%B8%BB%E9%A1%8C%E7%9A%84%E9%A0%81%E9%9D%A2%E5%88%86%E9%A1%9E%7CCategory%3A%E4%B8%AD%E5%9B%BD%E4%BC%81%E4%B8%9A%7CCategory%3A%E5%90%84%E5%9C%8B%E5%85%AC%E5%8F%B8%7CCategory%3A%E4%B8%AD%E5%9B%BD%E5%9C%B0%E7%90%86%E5%A4%A7%E5%8C%BA%7CCategory%3A%E4%B8%AD%E5%9B%BD%E7%BB%8F%E6%B5%8E%7CCategory%3A%E5%90%84%E5%9C%8B%E5%9C%B0%E7%90%86%7CCategory%3A%E4%B8%AD%E5%9B%BD%E8%A1%8C%E6%94%BF%E5%8C%BA%E5%88%92%7CCategory%3A%E5%9F%8E%E9%95%87%7CCategory%3A%E6%9D%B1%E4%BA%9E%E5%82%B3%E7%B5%B1%E6%96%87%E5%8C%96%7CCategory%3A%E6%9D%B1%E4%BA%9E%E6%96%87%E5%8C%96%E5%9C%88%7CCategory%3A%E5%90%84%E5%9C%8B%E9%9B%BB%E8%A6%96%7CCategory%3A%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%7CCategory%3A%E5%90%84%E5%9C%8B%E7%B5%84%E7%B9%94%7CCategory%3A%E4%BA%9E%E6%B4%B2%E8%AA%9E%E8%A8%80%7CCategory%3A%E5%90%84%E5%9C%8B%E8%AA%9E%E8%A8%80%7CCategory%3A%E9%87%91%E8%9E%8D%7CCategory%3A%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E5%90%84%E7%BA%A7%E8%A1%8C%E6%94%BF%E5%8C%BA%7CCategory%3A%E4%B8%AD%E5%9B%BD%E4%B8%80%E7%BA%A7%E8%A1%8C%E6%94%BF%E5%8C%BA%7CCategory%3A%E6%AD%A3%E7%9C%81%E9%83%A8%E7%BA%A7%7CCategory%3A%E5%85%AC%E5%8F%B8%7CCategory%3A%E8%B4%B8%E6%98%93%7CCategory%3A%E4%BE%9D%E5%9C%B0%E7%90%86%E4%BD%8D%E7%BD%AE%E6%9D%A5%E4%BD%9C%E7%9A%84%E5%88%86%E7%B1%BB%7CCategory%3A%E5%9B%BD%E5%AE%B6%7CCategory%3A%E8%AF%AD%E8%A8%80%7CCategory%3A%E5%9F%8E%E5%B8%82%7CCategory%3A%E7%94%B5%E8%A7%86%E5%8F%B0%7CCategory%3A%E4%BC%A0%E6%92%AD%E5%AD%A6%7CCategory%3A%E7%A4%BE%E4%BC%9A%7CCategory%3A%E4%BA%9A%E6%B4%B2%E5%9C%B0%E7%90%86%7CCategory%3A%E4%B8%AD%E5%8D%8E%E6%B0%91%E6%97%8F%7CCategory%3A%E6%BC%A2%E8%97%8F%E8%AA%9E%E7%B3%BB%7CCategory%3A%E5%8C%BA%E5%9F%9F%E5%9C%B0%E7%90%86%7CCategory%3A%E6%94%BF%E5%BA%9C%7CCategory%3A%E9%87%91%E8%9E%8D%E5%AD%A6%7CCategory%3A%E5%B8%82%E5%A0%B4%7CCategory%3A%E6%9C%8D%E5%8A%A1%7CCategory%3A%E7%BB%84%E7%BB%87%7CCategory%3A%E4%B8%AD%E5%9B%BD%E9%87%91%E8%9E%8D%E5%85%AC%E5%8F%B8%7CCategory%3A%E9%A6%99%E6%B8%AF%E6%8A%95%E8%B3%87%E5%8F%8A%E8%9E%8D%E8%B3%87&_=1268131053221

Version: unspecified
Severity: enhancement

Details

Reference
bz22778

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 11:02 PM
bzimport added projects: WMF-General-or-Unknown, Upstream.
bzimport set Reference to bz22778.
bzimport added a subscriber: Unknown Object (MLST).
liangent created this task.Mar 9 2010, 10:41 AM
Catrope added a comment.Mar 9 2010, 10:44 AM

(In reply to comment #0)

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html :
The HTTP protocol does not place any a priori limit on the length of a URI.

http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html :
The request could not be understood by the server due to malformed syntax.

Long URL is not a malformed syntax so we shouldn't respond with HTTP 400.

It is very common for overlong GET URLs to be greeted with a 400 AFAIK. Different web servers have different limits, though. Such long URLs should really be replaced with POST requests.

Suggest INVALID.

Domas added a comment.Mar 9 2010, 10:48 AM

we could probably return 414 , ehehehe:

10.4.15 414 Request-URI Too Long

The server is refusing to service the request because the Request-URI is longer than the server is willing to interpret. This rare condition is only likely to occur when a client has improperly converted a POST request to a GET request with long query information, when the client has descended into a URI "black hole" of redirection (e.g., a redirected URI prefix that points to a suffix of itself), or when the server is under attack by a client attempting to exploit security holes present in some servers using fixed-length buffers for reading or manipulating the Request-URI.

liangent added a comment.Mar 10 2010, 4:45 AM

(In reply to comment #1)

(In reply to comment #0)

http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html :
The HTTP protocol does not place any a priori limit on the length of a URI.

http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html :
The request could not be understood by the server due to malformed syntax.

Long URL is not a malformed syntax so we shouldn't respond with HTTP 400.

It is very common for overlong GET URLs to be greeted with a 400 AFAIK.
Different web servers have different limits, though. Such long URLs should
really be replaced with POST requests.

Suggest INVALID.

If I change it to POST, I cannot make use of callback.

Domas added a comment.Mar 10 2010, 8:48 AM

That is very very, very, very very sad.

tstarling added a comment.Mar 10 2010, 11:27 PM

If Liangent means that we should allow arbitrarily long URLs, then this is a WONTFIX. I think he does so that's how I'm marking it. If he means that the response code should be 414 instead of 400, then that can be submitted upstream, to http://bugs.squid-cache.org/

liangent added a comment.Mar 11 2010, 5:05 AM

http://bugs.squid-cache.org/show_bug.cgi?id=2878

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL