httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Morris <aaronmor...@mindspring.com>
Subject Re: [users@httpd] Limiting HTTP Methods
Date Wed, 19 Nov 2003 21:46:51 GMT


Erich Oliphant wrote:
> I am trying to prevent nastiness such as TRACE based attacks.  The 
> following short PERL script:
> #!/usr/local/bin/perl -w
> 
> use LWP::UserAgent;
> my $ua = new LWP::UserAgent;
> $ua->agent("AgentName/0.1" . $ua->agent);
> 
> 
> my $req = new HTTP::Request TRACE => "https://<my url...>/";
> 
> my $res = $ua->request($req);
> 
> if ($res->is_success)
> {
>         print $res->content;
> }
> else
> {
>         print "failed";
>         print $res->error_as_HTML;
> }
> 
> Prints the following:
> -- 
> TRACE / HTTP/1.1
> TE: deflate,gzip;q=0.3
> Connection: TE, close
> Host: <my url ...>
> User-Agent: AgentName/0.1libwww-perl/5.75
> -- 
> 
> as opposed to "failed" and a "Method Not Allowed" error as I would 
> expect.  I thought maybe it was an issue with the resolving of my 
> various Directory, Location, etc directives but I've tried both making 
> this the first and last directive and received the same results.
> 
> I will try it on a fresh Apache setup as well to verify that some of the 
> preexisting directives are not confusing it.
> 
> 
> 
> On Wednesday, November 19, 2003, at 03:36  PM, Joshua Slive wrote:
> 
>>
>> On Wed, 19 Nov 2003, Erich Oliphant wrote:
>>
>>> Hello,
>>> I am trying to limit the methods sent by any client.   For example,
>>> I've tried the following to prevent anything other than POSTs or GETs:
>>>
>>> <Location />
>>>          <LimitExcept GET POST>
>>>                  Order deny,allow
>>>                  Deny from all
>>>          </LimitExcept>
>>> </Location>
>>>
>>> This is not working (hence this email :)).  Any suggestions would be
>>> greatly appreciated.
>>
>>
>> That technique is basically correct.  What is your evidence that it is 
>> not
>> working?
>>
>> Joshua.
>>
>>
>>
> Sum Cogito Ergo
> I Am Therefore I Think
> 
> 

The TRACE method cannot be limited with the <Limit> or <LimitExcept> 
directives.

-- 
Aaron W Morris <aaronmorris@mindspring.com> (decep)




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message