httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Cohen <jos...@microsoft.com>
Subject Suggested patch for unkown methods in <Limit>
Date Wed, 06 Jan 1999 14:35:14 GMT
Greetings,

 I've been doing some testing with Greg Stein's mod_dav as well as
mod_digest, and have run into some issues with how Apache 
access restrictions work.

What I wanted to do was set up a directory clause which would
allow unauthenticated users to be able to browse the directory
with methods like GET, HEAD etc, but not any of the dav methods.
(PROPFIND, PROPPATCH, et al)

Using a <Limit> directive, I could specify to only restrict certain
methods like PUT or OPTIONS, but I could not restrict PROPFIND and 
PROPPATCH as well.  My choices were either to have no limit clause
and have no access except for authenticated users, or to hope
that no malicious user did a PROPPATCH to edit my web page.

In response, I propose a really small change to the function:

in: main/http_core.c
CORE_EXPORT_NONSTD(const char *) ap_limit_section(cmd_parms *cmd, void
*dummy,
						  const char *arg)

diff:
*** http_core.dist.c	Wed Jan  6 06:17:36 1999
--- http_core.c	Tue Jan  5 08:18:17 1999
***************
*** 1086,1091 ****
--- 1086,1094 ----
  	else if (!strcmp(method, "OPTIONS")) {
  	    limited |= (1 << M_OPTIONS);
  	}
+ 	else if (!strcmp(method, "UNKNOWN")) {
+ 	    limited |= (1 << M_INVALID);
+ 	}
  	else {
  	    return ap_pstrcat(cmd->pool, "unknown method \"",
  			      method, "\" in <Limit>", NULL);

What this allows is for me to specify a set of known methods and to 
include any unknown methods in that restriction.

So, having the following in my access.conf:

<Directory /linux/src/ie/test/>
	Dav On
	AuthName "topsecret"
	AuthType Digest
	AuthDigestFile /my/path/users
	AuthDigestAlgorithm MD5
	<Limit PUT DELETE UNKNOWN>
		require valid-user
	</Limit>
</Directory>

I can allow unauthenticated users to view my web page with their
browser (GET, HEAD) and restrict use of authoring tools which support 
DAV. (PROPFIND, COPY, MOVE, etc)

I've seen reference to new defined methods like M_PROPFIND in the source
to mod_dav, but it's still important to be able to identify an "unknown"
method
which a module may support.

Ideally, I thought I might just make the final clause stick the unknown
method text into the context structure along with the method_mask, but..
I plead laziness :)

In the mean time, this should suffice.  It seems to work fine for me in
my testing.  After thinking about how to do this, this solution seemed
to be quite easy.  It turns out that when a method like PROPFIND is used,
the r->method string says "PROPFIND"  but the r->method_number is M_INVALID.
This allows the limit directive to work as I've described as well as allow
modules which deal with unknown (to apache) methods from the string.

I think it's important to allow this kind of functionality in 
a hurry, especially if people start deploying mod_dav widely.

Comments?

Josh

---
Josh Cohen <joshco@microsoft.com>
Lead Program Manager - Internet Explorer Networking 

Mime
View raw message