httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: mod_dav inconsistent behaviour for GET requests
Date Sat, 30 Jan 2010 00:20:37 GMT
On Jan 29, 2010, at 10:46 AM, Stefan Fritsch wrote:

> On Friday 29 January 2010, Plüm, Rüdiger, VF-Group wrote:
>> Thanks for clarification. I guess I understand your intension
>> better now. So basicly you want those providers that do not
>> implement GET by themselves to enforce the usage of the default
>> handler, correct?
>> Mind to sent a patch to the list for better review?
> 
> Exactly. The patch below works with 2.2 (haven't tested with trunk
> due to lack of mod_php).
> 
> BTW, I found PR 13025, which seems to suggest that being able to mix
> script execution and DAV on the same URL is a feature. I am still for
> removing this 'feature' in trunk, though. But I would be against a
> backport to 2.2.x.
> 
> 
> --- a/modules/dav/main/mod_dav.c
> +++ b/modules/dav/main/mod_dav.c
> @@ -4803,12 +4803,13 @@ static int dav_fixups(request_rec *r)
> 
>         /*
>          * If the repository hasn't indicated that it will handle the
> -         * GET method, then just punt.
> -         *
> -         * ### this isn't quite right... taking over the response can break
> -         * ### things like mod_negotiation. need to look into this some more.
> +         * GET method, then we let the default handler do it. Set the handler
> +         * explicitly to ensure that no other handler takes the request.
> +         * We don't care about directories, though.
>          */
>         if (!conf->provider->repos->handle_get) {
> +            if (r->finfo.filetype != APR_DIR)
> +                r->handler = "none";
>             return DECLINED;
>         }
>     }

It looks to me like that would introduce a security hole for existing
configs that expect a handler to run on GET (PHP/CGI scripts that are
authorable via DAV).  -1 if so.

....Roy
Mime
View raw message