httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <>
Subject Re: mod_include and POST (fwd)
Date Sun, 26 Aug 2001 09:33:46 GMT
On Sat, Aug 25, 2001 at 12:45:13AM -0400, Cliff Woolley wrote:
> On Fri, 24 Aug 2001, William A. Rowe, Jr. wrote:
> > don't forget to _permit_ OPTIONS.
> It turns out that OPTIONS was more complicated than I expected.  By the
> time we get to the includes filter, the default handler has already called
> ap_send_http_options() which is what sets the Allow header and which is
> what called down the filter stack (to us!).

The handler is the thing responding to the request. NOT the filter. The
filter should never touch the allowed methods, nor should it test for which
method was used. The filter has been placed into the filter stack, so it
should run.

If you don't want the filter running, then it should not have gone into
filter stack.

But remember: the *handler* is the guys that knows what methods to respond
to, and how. It should deal with all that.

> > Also, this (AP_METHOD_BIT << M_GET);
> > is (slightly) bogus since there are macros to make it more legible.
> Actually, it's _totally_ bogus.  r->allowed is now completely useless as
> it turns out.  It's still set throughout the server by various modules,
> but it's never used!  make_allow() uses r->allowed_methods instead these
> days.  r->allowed needs to go away and be replaced by calls to
> ap_allow_methods(), which sets up r->allowed_methods.  There might be
> other security problems in various modules due to this problem, where they
> THINK they're limiting the allowed methods and they're really not.

OPTIONS is a difficult problem. There are many facilities that could be
present in the server, and each of these may need a shot at responding to
the OPTIONS request. Not necessarily just the handler who happened to
receive the OPTIONS.

> --- mod_include.c       2001/08/24 06:47:35     1.132
> +++ mod_include.c       2001/08/25 04:34:22
> @@ -2728,9 +2728,17 @@
>      if (!(ap_allow_options(r) & OPT_INCLUDES)) {
>          return ap_pass_brigade(f->next, b);
>      }
> -    r->allowed |= (AP_METHOD_BIT << M_GET);
>      if (r->method_number != M_GET) {

I say the above lines should simply be removed.


Greg Stein,

View raw message