httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: [linux-security] Security Hole. Appache. (fwd)
Date Thu, 04 Sep 1997 16:45:30 GMT
On Thu, 4 Sep 1997, Dirk.vanGulik wrote:

> > On Thu, 4 Sep 1997, Dirk.vanGulik wrote:
> > 
> > > Flush, blush ; I knew this; there is even some old patch for pre 1 ?
> > > which gave a protocol error :-( It came in after the limit extension.
> > 
> > But it isn't a bug, and the script is doing exactly what they told it to.
> 
> Hmm, I'd strongly argue the case that anything other than PUT/GET/POST/HEAD
> etc in eactly that case; should be flagged as a protocol error (especially
> as the reqeust comes in with HTTP/1.0 and HTTP/1.1; so it should stick
> to that); Though I have to admit that I locally do use INFO and META for
> just that extra dimension.
> 
> Still I can see your point too.

The issue is that in most of these cases, limiting methods to known
methods wouldn't fix the security hole anyway, because it isn't likely
that people will list _all_ the possible methods that Apache handles.  The
same thing could happen with PUT or some other method that is valid.  Even
if they do list them all, then you have problems with a new one is
introduced.  I see nothing to gain by encoraging such broken behavior.

It could be documented better though.


Mime
View raw message