httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: Using the PUT method with Apache
Date Tue, 25 Feb 1997 06:21:41 GMT
On Mon, 24 Feb 1997, Kevin 'Kev' Hughes wrote:

> 	I apologize in advance if this is an obvious newbie sort of
> question, but here it is:
> 	I've been experimenting with writing my own CGI PUT handlers
> (in Java and C) so I can use Netscape Constellation and other such
> publishing clients with Apache to enable my sites to be edited remotely
> (and version-controlled, etc., etc.), and I want to know how I can enforce
> basic authentication on the server end.
> 	I set up a PUT handler via the "Script" directive:
> 	Script PUT /cgi-bin/nph-puthandler
> 	...but if I use Script, it seems that the <Limit PUT ...> stuff
> I set up is ignored. The server allows any old person to PUT stuff.

Hmm. This should not be the case. Are you sure the <Limit> is applied
to the correct directory? Honestly, I'm not sure if it should be the
dir where the CGI is, or where the file being put is. But certainly
<Limit PUT> should do what it's advertised to do. If it doesn't,
that's a very serious bug. I know it used to work...

> 	So I say, OK, I'll just check the login name and password
> in the handler itself. But I can't seem to find the environment variable
> that stores the name/password pair to pass to my handler for authentication.

It isn't. This is a "feature". See below.

> 	The raw request looks something like this:
> 	PUT HTTP/1.0
> 	Proxy-Connection: Keep-Alive
> 	User-Agent: Mozilla/4.0b2 (Win95; I)
> 	Pragma: no-cache
> 	Host:
> 	Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
> 	Authorization: Basic someBase64blahblah
> 	Content-Length: 11111
> 	While I can get AUTH_TYPE from the environment, I can't get the
> name/password pair. According to the above, should the variable
> HTTP_AUTHORIZATION be set with this information? Is there some aspect
> of configuration I might have missed to enforce PUT authorization?

The CGI spec doesn't allow the Authorization header to be sent on to
CGI scripts; Apache removes it. This is so a CGI script can't "steal"
a passsword (which is sent in the clear) from another realm on the
same server, or some such like that.

> 	Are there any plans to write an "official" Apache PUT handler?

I know Rob Thau wrote one for his apache-XX server. It had all sorts
of nifty security stuff, too. Don't know what he ended up doing with
it, though.

Alexei Kosut <>      The Apache HTTP Server

View raw message