httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: Using the PUT method with Apache
Date Tue, 25 Feb 1997 06:50:59 GMT
On Mon, 24 Feb 1997, Alexei Kosut wrote:

> On Mon, 24 Feb 1997, Kevin 'Kev' Hughes wrote:
> > 	I apologize in advance if this is an obvious newbie sort of
> > question, but here it is:
> > 	I've been experimenting with writing my own CGI PUT handlers
> > (in Java and C) so I can use Netscape Constellation and other such
> > publishing clients with Apache to enable my sites to be edited remotely
> > (and version-controlled, etc., etc.), and I want to know how I can enforce
> > basic authentication on the server end.
> > 	I set up a PUT handler via the "Script" directive:
> > 
> > 	Script PUT /cgi-bin/nph-puthandler
> > 
> > 	...but if I use Script, it seems that the <Limit PUT ...> stuff
> > I set up is ignored. The server allows any old person to PUT stuff.
> Hmm. This should not be the case. Are you sure the <Limit> is applied
> to the correct directory? Honestly, I'm not sure if it should be the
> dir where the CGI is, or where the file being put is. But certainly
> <Limit PUT> should do what it's advertised to do. If it doesn't,
> that's a very serious bug. I know it used to work...

I am pretty sure it worked fine for me around 1.2b6...

> > 	Are there any plans to write an "official" Apache PUT handler?
> I know Rob Thau wrote one for his apache-XX server. It had all sorts
> of nifty security stuff, too. Don't know what he ended up doing with
> it, though.

I am very scared by what certain servers that implement nifty things like
PUT and web accessable configuration interfaces do; some even suggest
running your server as root to avoid any problems.  

Two of the projects I am thinking about when I have time are a reasonably
secure PUT handler (external setuid binary, gets user password on stdin
and verifies it itself) with an idea of trying to get it into the base
distribution (would need hooks in the source...) and doing a web based
configuration interface; probably a seperate admin server process like
most do it, let the user start it by just typing "httpd -config" and
loading their web browser.

Both involve doing root-only things that have to be done securely.  Not
sure I will ever get to any of these, but...

View raw message