httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: Just what you all want... another patch.
Date Sun, 16 Jun 1996 19:29:26 GMT
  What is the likelehood of people *expecting* the un-patched behaviour
  for the correct operation of their applications?  Just wondering
  if we're in for a hidden cost with this otherwise priceless benefit
  which might require careful documentation to avoid br0kenness...

Well, br0kenness is what people have now, and "requires" is br0ken in
ways that "allow" and "deny" specifically are not.  It's possible that
somebody out there may be relying on this, but probably not many,
since the only two methods that many people are using are GET and
POST, and they are both typically protected the same way.  (Remember,
it's only when I actually wanted to do something with PUT that I
noticed we had a problem here).

However, once you're supporting PUT, you *really* want to be able to
require authentication on a method- by-method basis (particularly, PUT
only), and right now, that's impossible.  (Take it from the guy who's

Personally, I think we can just take it as an occasion to remind people
to check that their <Limit> clauses should list *every* method they
want to Limit and which their server, as configured, will be willing to
apply (whereupon a lot of them will probably discover that they said
<Limit GET> where they meant <Limit GET POST>).

But it is worth mentioning...


View raw message