1

I was working on a simple API server using tornado and all requests require the parameter access_token. I was playing with curl, and was surprised to find that DELETE and GET requests will not extract this value from the request body--they only allow this param to be passed via the query string.

ie, when I do

 curl -i -X DELETE -d access_token=1234 http://localhost:8888/

In the delete method of my web handler, this returns None:

 self.get_argument('access_token', None)

However, when I do

 curl -i -X DELETE http://localhost:8888/?access_token=1234

This yields "1234" as expected:

 self.get_argument('access_token', None)

I examined the tornado source, and found that the body is only parsed for POST and PUT requests: https://github.com/facebook/tornado/blob/4b346bdde80c1e677ca0e235e04654f8d64b365c/tornado/httpserver.py#L258

Is it correct to ignore the request body for GET, HEAD, and DELETE requests, or is this a choice made by the authors of tornado?

kortina
  • 5,131
  • 4
  • 21
  • 23
  • See http://stackoverflow.com/questions/978061/http-get-with-request-body and http://tech.groups.yahoo.com/group/rest-discuss/message/9962 – Bruno Dec 06 '11 at 02:29

2 Answers2

2

This is correct per the HTTP/1.1 protocol specification.

DELETE and GET requests do not accept entity data enclosed in the request.

According to the definition, get requests retrieve their entity data from the request URI.

HEAD requests are defined as identical to GET requests except that the server should not return a message body in the response.

Therefore the authors of tornado were correct to ignore the "post" data for GET, HEAD, and DELETE.

See HTTP/1.1 Method Definitions

drew010
  • 64,915
  • 11
  • 121
  • 148
  • 1
    RFC-2616 sec 4.3 "A server SHOULD read and forward a message-body on any request; if the request method does not include defined semantics for an entity-body, then the message-body SHOULD be ignored when handling the request." – SingleNegationElimination Dec 06 '11 at 02:40
  • 2
    "According to the definition, get requests retrieve their entity data from the request URI." - I don't think the spec says that. Correct me if you have a pointer. All HTTP requests *can* have a request body, this includes HEAD, GET and DELETE. It's just that the spec doesn't define what it means, and it's uncommon to use them, so we're talking only about conventions, not spec requirements. – Julian Reschke Dec 06 '11 at 08:43
0

It is a good idea to not to accept requests with the payload if they are not POST or PUT. Just because of security reasons. Some servers, e.g. lighttpd, return server error in this case.

lig
  • 3,242
  • 1
  • 20
  • 33