httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40030] - mod_dav documentation could be improved (to <LimitExcept ...>)
Date Sat, 22 Jul 2006 09:58:39 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40030>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40030


darryl@darrylmiles.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|mod_dav documentation could |mod_dav documentation could
                   |be improved                 |be improved (to <LimitExcept
                   |                            |...>)




------- Additional Comments From darryl@darrylmiles.org  2006-07-22 09:58 -------
If I may clarify my thoughts.

Someone adding DAV to their website wants to restricts the additional DAV
operations but retain the existing web-application operations, so their
web-application continues to work like it did before.

If they wanted to restrict the POST operation they would already have configured
a rule for that outside of the additional configuration required for DAV.


Are you saying that DAV utilizes the POST method for any operation and in doing
so that optation may modify data or expose extra data to an anonymous website
user; that the anonymous website user wouldn't be able to have done otherwise.

So summarize that question "Can a privilege escalation via the POST method occur
for an anonymous website user ?"

When I audited the example configuration changes myself by researching into the
commands I was adding this exact concern immediatly came to mind.  After 5 mins
looking over the code for what DAV does via the POST method I could not see any
active component.

I'm trying to spare someone else less technical than me this headache that the
suggestion of <LimitExcept GET OPTIONS> implies, in that DAV maybe unsafe for
any website utilizing the POST method for its everyday operations so we dont
recommend <LimitExcept GET OPTIONS POST>.


Point taken on the HEAD issue but again <LimitExcept GET HEAD OPTIONS POST> is
much clearer to understand than <LimitExcept GET OPTIONS POST>, it means I dont
have the headache of finding out why HEAD wasn't included.  If they are equal
and one way is clearer than the other, use the clearer way in the documentation.

Is your neurtal stance due to being unsure of the effects of DAV+POST ?  Maybe a
DAV guru will notice this and contribute their wizdom.  I'm now thinking if
there are side effects these should be documented.  Either way I'm just trying
to remove the concern that a potential user may get after reading the current
documentation.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message