httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: Proxying OPTIONS *
Date Mon, 01 Oct 2007 18:02:29 GMT

On Oct 1, 2007, at 11:14 AM, Nick Kew wrote:

> On Mon, 01 Oct 2007 16:43:57 +0200
> Ruediger Pluem <rpluem@apache.org> wrote:
>
>> On 10/01/2007 03:30 PM, Joshua Slive wrote:
>>> On 10/1/07, Jim Jagielski <jim@devsys.jagunet.com> wrote:
>>
>> [summary of everyone]
>> No problem.
>
> OK, it's actually applying the permissions of DocumentRoot.
> It's also ignoring the permissions on <Location />
>
> So my report was wrong, but we still have a bug:
> we shouldn't be mapping OPTIONS * to the filesystem.
>

TRACE also does not/should not trace to the filesystem.
So, I think what we should do is use the existing
architecture and have a quick_handler that checks for
the OPTIONS * case and, if so, return DONE.

I am not sure, to be honest, what we should do for
OPTIONS /foo if /foo is a protected entity... Reading
9.2: "communication options available on the request/response
chain... without implying a resource action or initiating a
resource retrieval" implies to me that ACL shouldn't even
enter into it and should never return a 403... Which
also implies that we should not honor any Limit for
Options either...

Before I work on the fix (http://issues.apache.org/bugzilla/ 
attachment.cgi?id=20902
seems just plain wrong to me), I'd like to see what
Roy thinks about the above compliance points...

Mime
View raw message