httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Prud'hommeaux" <e...@w3.org>
Subject Re: sub requests are all "GET"s
Date Wed, 05 Sep 2001 13:55:17 GMT
On Wed, Sep 05, 2001 at 05:46:15AM -0700, Greg Stein wrote:
> Take a look at ap_sub_req_method_uri. That might do the trick for you.
> 
> I don't think there is a similar one for files right now.

Thanks. I took a look at ap_sub_req_method_uri and am still whining:

ap_sub_req_method_uri takes a method string argument and returns a sub
req with that method. All functions that could be creating POST, PUT,
etc requests should perhaps use it like this:
  rnew = ap_sub_req_method_uri(r->method, newUri, r, somefilter)
but they don't. They all call ap_sub_req_lookup_uri wich hard codes it:
  return ap_sub_req_method_uri("GET", new_file, r, next_filter);

I haven't tested, but it seems like a number of the callers of
ap_sub_req_lookup_uri may be subject to the problem I'm addressing
in ap_sub_req_lookup_file.

The problem I'm trying to solve here is to make the ACLs on negotiated
files work out of the box. As it is, if the ACL is only on foo.php3, a
POST to foo will cause, for instance, mod_auth's check_user_access to
check the ACLs for POST on foo and later, after mod_negotiation does
its trick, check the ACLs for GET on foo.php3. If Joe user is allowed
to GET foo.php3 he can sneak around the ACLs by POSTing to foo.

I saw this problem back in 1.3 and figured I'd tackle it if it was
still around in 2.0. I think the solution proposed below will work
but I haven't checked mod_{dav,include,autoindex} to see that they
don't mean to create a sub req that truly is a GET and not whatever
the parent req was.

> On Wed, Sep 05, 2001 at 08:17:15AM -0400, Eric Prud'hommeaux wrote:
> > Can anybody explain why ap_set_sub_req_protocol does
> >     rnew->method          = "GET";
> >     rnew->method_number   = M_GET;
> > instead of
> >     rnew->method          = r->method;
> >     rnew->method_number   = r->method_number;
> > ? The consequence is that functions like negotiation
> >     sub_req = ap_sub_req_lookup_file(dirent.name, r, NULL);
> > check auth on the wrong method. You can check this by POSTing to
> > foo and having a limit on POST for foo.php3 (as opposed to the
> > whole directory). A quick way to check is to set a breakpoint in
> > ap_set_sub_req_protocol and
> >   telnet localhost 80
> >   POST /Overview HTTP/1.0
> >   Content-Length: 5
> >   
> >   abcd
> > Any calls to the auth modules will have a method of GET despite
> > the POST action they will eventually execute.
> > 
> > All auth modules and the like could check for this:
> >   int method = r->main ? r->main->method_number : r->method_number;
> > but it seems better to have the sub request default to the method
> > of the request that inspired it. There may be some modules that
> > may count on the default behavior, like mod_include, but I think
> > they should specifically make the new method be a GET as they are
> > not duplicating the parent request's behaviour.
> > 
> > -- 
> > -eric
> > 
> > (eric@w3.org)
> > Feel free to forward this message to any list for any purpose other than
> > email address distribution.
> 
> -- 
> Greg Stein, http://www.lyra.org/

-- 
-eric

(eric@w3.org)
Feel free to forward this message to any list for any purpose other than
email address distribution.

Mime
View raw message