Return-Path: owner-new-httpd Received: by taz.hyperreal.com (8.6.12/8.6.5) id UAA19861; Thu, 17 Aug 1995 20:18:17 -0700 Received: from beach.w3.org by taz.hyperreal.com (8.6.12/8.6.5) with ESMTP id UAA19855; Thu, 17 Aug 1995 20:18:15 -0700 Received: from beach.w3.org (fielding@localhost [127.0.0.1]) by beach.w3.org (8.6.9/8.6.9) with ESMTP id XAA09820 for ; Thu, 17 Aug 1995 23:18:12 -0400 Message-Id: <199508180318.XAA09820@beach.w3.org> To: new-httpd@hyperreal.com Subject: Should Limit be limited to known methods? Date: Thu, 17 Aug 1995 23:18:11 -0400 From: Roy Fielding Sender: owner-new-httpd@apache.org Precedence: bulk Reply-To: new-httpd@apache.org After setting up a "sensible" access.conf: # The DocumentRoot is assumed to be under our control AllowOverride FileInfo AuthConfig Limit Options Indexes FollowSymLinks IncludesNoExec order allow,deny allow from all order deny,allow deny from all Apache 0.8.10x complains about the " LINK UNLINK". Why? The relevant code is in http_core.c: while(limited_methods[0]) { char *method = getword_conf (cmd->pool, &limited_methods); if(!strcasecmp(method,"GET")) limited |= (1 << M_GET); else if(!strcasecmp(method,"PUT")) limited |= (1 << M_PUT); else if(!strcasecmp(method,"POST")) limited |= (1 << M_POST); else if(!strcasecmp(method,"DELETE")) limited |= (1 << M_DELETE); else return "unknown method in "; } Wouldn't the "principle of least astonishment" be to ignore any methods not implemented in the server, or (better) make the set of allowed methods completely configurable? Hmmm...what is the default for methods that have no Limit? It isn't specified in the documentation. >From looking at check_dir_access() in mod_access.c, I'm going to guess it is order deny,allow deny from all It would also be nice to explain why HEAD is never Limit'd. .....Roy