httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rasmus Lerdorf <ras...@apache.org>
Subject Re: sub requests are all "GET"s
Date Wed, 05 Sep 2001 16:47:04 GMT
Whoa, deja vu...  I could have sworn I fixed something very similar to
this more than 5 years ago now.  In fact, here is the patch for Apache
1.2.x:

Fri Mar 1 03:01:06 1996 UTC (66 months, 1 week ago)
http://cvs.apache.org/viewcvs.cgi/apache-1.2/src/http_request.c.diff?r1=1.2&r2=1.3

Not exactly the same issue, I know, but very close.

-Rasmus


On Wed, 5 Sep 2001, Eric Prud'hommeaux wrote:

> Can anybody explain why ap_set_sub_req_protocol does
>     rnew->method          = "GET";
>     rnew->method_number   = M_GET;
> instead of
>     rnew->method          = r->method;
>     rnew->method_number   = r->method_number;
> ? The consequence is that functions like negotiation
>     sub_req = ap_sub_req_lookup_file(dirent.name, r, NULL);
> check auth on the wrong method. You can check this by POSTing to
> foo and having a limit on POST for foo.php3 (as opposed to the
> whole directory). A quick way to check is to set a breakpoint in
> ap_set_sub_req_protocol and
>   telnet localhost 80
>   POST /Overview HTTP/1.0
>   Content-Length: 5
>
>   abcd
> Any calls to the auth modules will have a method of GET despite
> the POST action they will eventually execute.
>
> All auth modules and the like could check for this:
>   int method = r->main ? r->main->method_number : r->method_number;
> but it seems better to have the sub request default to the method
> of the request that inspired it. There may be some modules that
> may count on the default behavior, like mod_include, but I think
> they should specifically make the new method be a GET as they are
> not duplicating the parent request's behaviour.
>
>


Mime
View raw message