httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <and...@www.elsevier.co.uk>
Subject Re: <limit> behaviour change...
Date Tue, 08 Aug 1995 20:14:12 GMT 
Brian:
> I just added a page on compatibility notes to the web site -
> http://www.apache.org/docs/compat_notes.html
> It's linked to from the home page, the "new with 08" page, and the 
> documentation page.

Ah, I took a look and the wording was a bit confusing for me.  Slap me if
I'm r0ng but I thought that the default bahaviour was to DISALLOW all
methods [GET, POST, whatever] and to only allow, or even consider, those
methods which are mentioned inside a <limit ...> directive.  That's why
all NCSA clone access.conf's have the basic structure:

<Directory /usr/local/etc/httpd/htdocs>
	Options Indexes FollowSymLinks
	AllowOverride All
	<Limit GET>
		order allow,deny
		allow from all
	</Limit>
</Directory>

Meaning that under most out-of-the-box configurations the GET method is
permitted everywhere.

The wording as is on the compatibility notes page read:

   2.<Limit> sillyness - in the old Apache 0.6.5, a directive of
     <Limit GET> would also restrict POST methods - Apache 0.8.8's new core
     is correct in not presuming a limit on a GET is the same limit on a
     POST, so if you are relying on that behavior you need to change your
     access configurations to reflect that. 

Which suggests to me that <limit>'ations only apply to those methods
mentioned explicitlyand that anything not mentioned can get through.  Which
is not the same thing, I believe, as the intent of NCSA's original design.
Perhaps a less confusing (for me) wording might be:

   2. <Limit> sillyness - in the old Apache 0.6.5, a directive of
      <Limit GET> would allow POST methods to be executed.  The default
      for POSTs under this directive should be to prevent POSTs from being
      honoured.  Apache 0.8.8's new core is correct in presuming that any
      method not mentioned explicitly in a <Limit ...> directive is to
      be disabled.  So if you are relying on that behaviour you need to
      change your access configurations to reflect that.

      Specifically you may need to add the POST method to your <Limit ...>
      directives if you notice that people are no-longer able to POST to
      your scripts.

Or words to that effect.

Alternatively, I might be just plain r0ng.  Trust me, it happens. ;)

Ay.


> 	Brian
> 
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/
> 
>
Mime
View raw message