httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erich Oliphant <eri...@vantixweb.com>
Subject Re: [users@httpd] Limiting HTTP Methods
Date Wed, 19 Nov 2003 21:31:38 GMT
I am trying to prevent nastiness such as TRACE based attacks.  The 
following short PERL script:
#!/usr/local/bin/perl -w

use LWP::UserAgent;
my $ua = new LWP::UserAgent;
$ua->agent("AgentName/0.1" . $ua->agent);


my $req = new HTTP::Request TRACE => "https://<my url...>/";

my $res = $ua->request($req);

if ($res->is_success)
{
         print $res->content;
}
else
{
         print "failed";
         print $res->error_as_HTML;
}

Prints the following:
--
TRACE / HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: <my url ...>
User-Agent: AgentName/0.1libwww-perl/5.75
--

as opposed to "failed" and a "Method Not Allowed" error as I would 
expect.  I thought maybe it was an issue with the resolving of my 
various Directory, Location, etc directives but I've tried both making 
this the first and last directive and received the same results.

I will try it on a fresh Apache setup as well to verify that some of 
the preexisting directives are not confusing it.



On Wednesday, November 19, 2003, at 03:36  PM, Joshua Slive wrote:

>
> On Wed, 19 Nov 2003, Erich Oliphant wrote:
>
>> Hello,
>> I am trying to limit the methods sent by any client.   For example,
>> I've tried the following to prevent anything other than POSTs or GETs:
>>
>> <Location />
>>          <LimitExcept GET POST>
>>                  Order deny,allow
>>                  Deny from all
>>          </LimitExcept>
>> </Location>
>>
>> This is not working (hence this email :)).  Any suggestions would be
>> greatly appreciated.
>
> That technique is basically correct.  What is your evidence that it is 
> not
> working?
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Sum Cogito Ergo
I Am Therefore I Think


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message