httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roy Fielding <field...@beach.w3.org>
Subject Should Limit be limited to known methods?
Date Fri, 18 Aug 1995 03:18:11 GMT
After setting up a "sensible" access.conf:

# The DocumentRoot is assumed to be under our control
 
<Directory /dc/ud/www/documentroot>
AllowOverride FileInfo AuthConfig Limit
Options Indexes FollowSymLinks IncludesNoExec
<Limit GET>
order allow,deny
allow from all
</Limit>
<Limit POST PUT DELETE LINK UNLINK>
order deny,allow
deny from all
</Limit>
</Directory>

Apache 0.8.10x complains about the " LINK UNLINK".  Why?
The relevant code is in http_core.c:

    while(limited_methods[0]) {
        char *method = getword_conf (cmd->pool, &limited_methods);
        if(!strcasecmp(method,"GET")) limited |= (1 << M_GET);
        else if(!strcasecmp(method,"PUT")) limited |= (1 << M_PUT);
        else if(!strcasecmp(method,"POST")) limited |= (1 << M_POST);
        else if(!strcasecmp(method,"DELETE")) limited |= (1 << M_DELETE);
        else return "unknown method in <Limit>";
    }

Wouldn't the "principle of least astonishment" be to ignore any
methods not implemented in the server, or (better) make the set
of allowed methods completely configurable?


Hmmm...what is the default for methods that have no Limit?
It isn't specified in the documentation.

>From looking at check_dir_access() in mod_access.c, I'm going to
guess it is

    <Limit GET POST PUT DELETE>
    order deny,allow
    deny from all
    </Limit>

It would also be nice to explain why HEAD is never Limit'd.

.....Roy

Mime
View raw message