httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Prud'hommeaux" <e...@w3.org>
Subject sub requests are all "GET"s
Date Wed, 05 Sep 2001 12:17:15 GMT
Can anybody explain why ap_set_sub_req_protocol does
    rnew->method          = "GET";
    rnew->method_number   = M_GET;
instead of
    rnew->method          = r->method;
    rnew->method_number   = r->method_number;
? The consequence is that functions like negotiation
    sub_req = ap_sub_req_lookup_file(dirent.name, r, NULL);
check auth on the wrong method. You can check this by POSTing to
foo and having a limit on POST for foo.php3 (as opposed to the
whole directory). A quick way to check is to set a breakpoint in
ap_set_sub_req_protocol and
  telnet localhost 80
  POST /Overview HTTP/1.0
  Content-Length: 5
  
  abcd
Any calls to the auth modules will have a method of GET despite
the POST action they will eventually execute.

All auth modules and the like could check for this:
  int method = r->main ? r->main->method_number : r->method_number;
but it seems better to have the sub request default to the method
of the request that inspired it. There may be some modules that
may count on the default behavior, like mod_include, but I think
they should specifically make the new method be a GET as they are
not duplicating the parent request's behaviour.

-- 
-eric

(eric@w3.org)
Feel free to forward this message to any list for any purpose other than
email address distribution.

Mime
View raw message