www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Finch <...@dotat.at>
Subject Re: general/6548: Apache treats an HTTP 1.1 PUT request as a GET in some cases
Date Thu, 21 Sep 2000 21:00:01 GMT
The following reply was made to PR general/6548; it has been noted by GNATS.

From: Tony Finch <dot@dotat.at>
To: Christian Smith <csmith@barebones.com>
Cc: "Fielding, Roy" <fielding@eBuilt.com>, vincent@hpwww.ec-lyon.fr,
	ylafon@w3.org, Karl Dubost <karl@w3.org>, apbugs@apache.org
Subject: Re: general/6548: Apache treats an HTTP 1.1 PUT request as a GET  in some cases
Date: Thu, 21 Sep 2000 20:55:58 +0000

 Christian Smith <csmith@barebones.com> wrote:
 >On Thursday, September 21, 2000 at 11:51, fielding@eBuilt.com (Fielding, Roy) wrote:
 >
 >> The cgi-bin namespace within Apache is not a filesystem.  Resources
 >> within that space are part of the server and responsible for their
 >> own HTTP processing.  If there is a CGI script within that space that
 >> does not properly respond to a PUT, then delete that CGI script.
 >
 >Thank you for the clarification on this issue. 
 >
 >> This does not in any way change Apache's compliance with RFC 2616.
 >> Apache httpd does not distribute with CGI scripts enabled.
 >> Each resource defines the methods which are applicable to it.
 >> No resource is required to allow PUT.
 >> 
 >> mod_put will not work for the /cgi-bin namespace because that would
 >> generally be considered a security hole.
 >
 >More of a hole than having individual CGIs responsible for their own HTTP
 >processing?
 
 Of course. Putting un-audited code on your web server is dangerous,
 especially server code (CGIs) that doesn't uderstand HTTP to the
 extent that is required.
 
 >How is it possible then to create a resource within the cgi-bin namespace
 >via http PUT?
 
 Write a CGI to handle 404 errors which knows what to do with a PUT.
 
 >Seems like there would also be issues with DELETE. Asking an
 >object to delete itslef seems like a bad idea...
 
 Probably :-)
 
 Tony.
 -- 
 en oeccget g mtcaa    f.a.n.finch
 v spdlkishrhtewe y    dot@dotat.at
 eatp o v eiti i d.    fanf@covalent.net

Mime
View raw message