httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Bloom <...@ntrnet.net>
Subject Re: POST
Date Mon, 30 Sep 2002 05:17:55 GMT

<Copying security, because this is a big issue>

On Sun, 29 Sep 2002, Jerry Baker wrote:

> Ryan Bloom says:
> > There is already a bug filed.  It works if you don't have DAV enabled for
> > that CGI location.  I am hoping to look at that today.
> 
> Is there a way to at least stop Apache from giving the script source to 
> the viewer without disabling CGI or DAV?

According to my reading of the code, no it isn't possible.  However, I
have just commmitted a fix for this.  I am hoping that one of the DAV
experts will review my fix for correctness, but it is what we did until a
few weeks ago.

However, from my reading of the dav_module, I have a major concern.  The
module is currently trying to handle every type of request.  But, that is
wrong, it isn't how modules are supposed to behave.  Mod_dav should only
be setting the handler field for requests that it knows it can serve
correctly.

Because 2.0.42 always displays script source for CGI scripts that use
POST, I believe that we should put that notice on our main site, and stop
suggesting 2.0.42 for production use.

Mod_dav developers, please check my commit.

Ryan
_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
550 Jean St
Oakland CA 94610
-------------------------------------------------------------------------------


Mime
View raw message