httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Prud'hommeaux" <e...@w3.org>
Subject Re: ap_sub_req_lookup_file sets incorrect method in sub request
Date Mon, 22 Mar 1999 20:04:20 GMT
On Sat, Mar 20, 1999 at 04:56:42PM -0800, Greg Stein wrote:
> Eric Prud'hommeaux wrote:
> > 
> > When ap_sub_req_lookup_file is called to check a fixup (for instance,
> > for mod_negotiation), it duplicates the request, substituting the file
> > to be checked, and performs a litany of tests on it. The request is
> > copied by a call to ap_set_sub_req_protocol, which looks like this:
> > ...
> > The problem is that the subrequests for a POST method get set to
> > "GET", bypassing any auth restrictions on POST. I didn't see where
> > else this subrequest could be getting the correct method information
> > so I propose that the method and method_number be set like so:
> 
> This kind of behavior has been seen before (mod_dav was having a similar
> problem for MOVE and COPY). 1.3.5-dev contains a new function named
> "ap_sub_req_method_uri" which is just like "ap_sub_req_lookup_uri" but
> you can pass it an arbitrary method name.
> 
> However, you're trying to use the lookup_file version. There isn't a
> corresponding one there, although there probably should be.
> 
> It is probably a mistake to simply copy over the method. I could easily
> envision a method that *wants* to perform a GET on the target uri/file.

Actually, I'm just using a (nearly) vanilla mod_negotiation. It calls
ap_sub_req_lookup_file to validate uri adjustments. I suspect that
copying the method would be better than assuming GET as modules which
rely on ap_sub_req_lookup_uri are generally adjusting the filename of
the previous request. Here's a quick survey of the affected modules:

[root@ella src]# find . -name \*.c -print |xargs grep -l ap_sub_req_lookup_file
./main/http_request.c
./modules/standard/mod_autoindex.c
./modules/standard/mod_cern_meta.c
./modules/standard/mod_include.c
./modules/standard/mod_mime_magic.c
./modules/standard/mod_negotiation.c
./modules/standard/mod_rewrite.c

I think all of them should be check the adjusted URLs access for a
POST if the original request was for POST.

> Take a look at the latest snapshot and create a patch similar to
> ap_sub_req_method_uri(), but is a variant for lookup_file. 1.3.5 is
> almost out the door, but maybe it will sneak in if you're quick.

No pressure, no action. :)
-- 
-eric

(eric@w3.org)

Mime
View raw message