I'm seeing occasional mysterious
POST requests without
Sometimes I go out of my way to turn over rocks in the web server logs for Wandering
Thoughts, but other times my log monitoring turns them over
for me. The latter is how I know that Wandering Thoughts has
been seeing periodic bursts of unusual
POST requests that don't
appear to have a
Content-Type. I saw another such burst today,
so I'm going to write this one up.
Today's burst is six requests from a single IP (22.214.171.124),
POST'ing to a single entry between
12:55:12 and 12:56:08. In fact there were two burst of three POSTs
each, one burst at 12:55:12 and 12:55:13 and the second at 12:56:08.
DWiki's logging say that all of them lacked a
it didn't record any other details. This specific IP address made
no other requests today, or even in the past nine days. On July
2nd, it was nine
POSTs to this entry from 126.96.36.199 in three bursts
of three, at 21:36:20, 21:42:2, and 21:53:35. Both IPs used a
very generic User-Agent that I believe is simply the current Chrome
on Windows 10.
In all of the cases so far, the
POSTs are made directly to the URL
of a Wandering Thoughts entry, not to, say, the 'write a comment'
page. This is noteworthy because I don't have any forms or other
links that do
POST submissions to entry URLs; all references to
entry URLs are plain links and thus everyone should be using
requests. Anything that's deciding to make these
POST requests is
making them up, either by mistake or through some
(In the past I've seen zero length
POSTs with a valid HTML form
content-type, which I believe were also for regular
entry URLs although past me didn't write that explicitly in the
There's a part of me that wants to augment DWiki's logging to record,
say, the claimed
Content-Length for these POST requests so I can
see if they claim to have content or if they're 0-length. Probably
this is going further in turning over rocks than I want to, unless
I'm going to go all the way to logging the actual
POST body to
try to see what these people are up to.
POSTs without a
Content-Type are technically legal
and you're supposed to interpret the contents as the generic
application/octet-stream (unless you want to attempt to guess by
inspecting the data, which you don't). See eg here,
pointing to the HTTP 1.1 specification.
However, all of my
POST forms properly specify the content-type
the browser should use, so this shouldn't be
happening even for proper
POST requests to valid POST URLs.)
PS: Apache probably accepts
POSTs with no
Content-Type to static,
GET-only resources because Apache will accept pretty much anything
you throw at it. DWiki is more cautious, although that's basically
become a mistake.
Comments on this page:Written on 06 July 2018.