httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: mod_dav inconsistent behaviour for GET requests
Date Sat, 30 Jan 2010 10:04:55 GMT
On Saturday 30 January 2010, Roy T. Fielding wrote:
> >          */
> >         if (!conf->provider->repos->handle_get) {
> > +            if (r->finfo.filetype != APR_DIR)
> > +                r->handler = "none";
> >             return DECLINED;
> >         }
> >     }
> 
> It looks to me like that would introduce a security hole for
>  existing configs that expect a handler to run on GET (PHP/CGI
>  scripts that are authorable via DAV).  -1 if so.

The recommended setup is to map separate URLs for DAV and script 
execution to the content. It has been like this since at least 2.0.

The patch intentionally breaks existing configs that rely on the 
ability to use the same URLs for DAV and script execution. Is this not 
an acceptable change from 2.2 to 2.4 (if properly documented), as it 
makes life a lot easier for people who use the recommended setup?

Mime
View raw message