httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: Proxying OPTIONS *
Date Mon, 01 Oct 2007 15:14:14 GMT
On Mon, 01 Oct 2007 16:43:57 +0200
Ruediger Pluem <rpluem@apache.org> wrote:

> On 10/01/2007 03:30 PM, Joshua Slive wrote:
> > On 10/1/07, Jim Jagielski <jim@devsys.jagunet.com> wrote:
> 
> [summary of everyone]
> No problem.

OK, it's actually applying the permissions of DocumentRoot.
It's also ignoring the permissions on <Location />

So my report was wrong, but we still have a bug:
we shouldn't be mapping OPTIONS * to the filesystem.

You can reproduce the 403 with:

<Directory />
	DENY
</Directory>

DocumentRoot /usr/local/apache/htdocs
<Directory /usr/local/apache/htdocs>
	# no access/authnz directives at all here
</Directory>

<Location />
	ALLOW
</Location>

RFC2616 tells us OPTIONS * is basically a simple HTTP ping,
which suggests it could be at a 'lower' level than authconfig
and always be allowed.  If there is a reason to deny it,
that could be by means of something analagous to TraceEnable.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Mime
View raw message