httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@organic.com>
Subject Re: mod_cgi/973: Invalid request methods are processed by CGI module as GET (fwd)
Date Thu, 07 Aug 1997 04:42:44 GMT
On Wed, 6 Aug 1997, Marc Slemko wrote:

> Should we add something like:
> 
>     if (r->method_number == M_INVALID) {
>         return DECLINED;
>     }

No. Invalid requests are still valid. That's why the core doesn't reject
them outright. A well-written CGI will check REQUEST_METHOD, and if it is
not something it supports ("GET" or "POST", most likely), it will reject
it.

Apache does not process "BLAH" as if it were a GET request (to use the
bug reporter's syntax), it processes it as if it were a BLAH request,
which, as it is unknown, is treated as an HTTP extension method. You
certainly can't use BLAH to get around a <Limit GET> for serving files
from most of the modules. CGI scripts are, as per the spec, passed all
requests to their URL. They're responsible for ensuring that things work
out.

It should be pointed out at this time that the CGI specification isn't
as good as it could be, and if Rob and Ari hadn't both left to join
Netscape, I suspect a CGI/1.2 would have evolved to fix some of these
things. As it is, CGI is at an evolutionary dead end, but we're stuck
with it.

There are many replacements around which fill a similar role to CGI. The
most similar are the ISAPI Extension or the Java servlet, but the more
complex approaches (Apache's API, NSAPI, ISAPI Filters, etc...) can also
provide CGI-replacement facilities.

> ?  Or should an invalid method still be a valid request?  Note that this
> doesn't really fix the submitters problem because they can then just do a
> PUT, etc. assuming the CGI doesn't check the method...  if it did, the
> problem wouldn't be there.  The fix for the submitters problem is to STOP
> PUTTING LIMIT STATEMENTS FOR NO REASON.  (yes, the solution is in
> uppercase, not lowercase) 

Yes. This is definitely true. Someone should respond to the bug reporter,
saying basically that Apache follows the CGI spec, and passes all methods
to the CGI, it should check REQUEST_METHOD, and they should remove the
<Limit> section if they want to ensure that the CGI is always protected.

-- Alexei Kosut <akosut@organic.com>


Mime
View raw message