httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: mod_dav inconsistent behaviour for GET requests
Date Mon, 01 Feb 2010 20:14:32 GMT
On Sunday 31 January 2010, Justin Erenkrantz wrote:
> On Sun, Jan 31, 2010 at 3:01 AM, Stefan Fritsch <sf@sfritsch.de> 
wrote:
> > On Sat, 30 Jan 2010, Justin Erenkrantz wrote:
> >> I don't see how your patch would "intentionally" break - the
> >> failure mechanism is that the source scripts are served - not
> >> that a configuration error stops the server from running.  --
> >> justin
> >
> > Surely a fatal server error is not a necessary condition for
> > something to be broken?
> 
> When it has the capability of exposing source that would not
>  otherwise be served, absolutely.
> 
> The fundamental flaw with this patch is that dav_fixups runs after
> core_override_type - so the "none" handler simply won't get
>  reassigned by the rest of the applicable configs - ie set to CGI
>  or PHP or whatnot.  So, it would simply fall through and go to the
>  default handler.  Ouch.  -- justin

That's exactly what the patch is supposed to do. Therefore I would not 
call it flawed.

I think that the auth changes from 2.2 to trunk are so large that 
anyone upgrading will have to carefully review and test his 
configuration for security problems anyway. An additional change in 
the behaviour of mod_dav wouldn't create much of an additional problem 
(if it is documented correctly).

But since quite a few people disagree with me here, an alternative 
could be an additional directive (or second argument to 'Dav') that 
allows to configure the behaviour. For example

DavHandleMethods all
DavHandleMethods exceptPOST
DavHandleMethods exceptGET,POST

For 2.4, one could then leave the default at exceptGET,POST / 
exceptPOST (depending on the dav provider), just like it is for 2.2.x. 
But if the user does not specify DavHandleMethods explicitly, httpd 
could log a notice saying:

"DavHandleMethods defaulting to 'exceptGET,POST'. The default will 
change to 'all' with the next major release of httpd. Please specify 
DavHandleMethods explicitly."

Or one could even make the new directive mandatory, with httpd 
refusing to start without it.

Would this address your concerns?

Cheers,
Stefan

Mime
View raw message