[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    PATCH <PR-36368> DisallowPost
From:       Russell Miller <rmiller () duskglow ! com>
Date:       2005-08-26 21:56:21
Message-ID: 200508261456.22055.rmiller () duskglow ! com
[Download RAW message or body]

(I sent this once before but I think it was bounced, so if you get it twice, 
my apologies)

A patch has been submitted to mod_cgi.c that will allow the user to disallow 
post requests in affected directories.

History and reasoning, as well as a patch, is in the report, #36368.  I will 
duplicate that part here:

We wanted to disallow the POST method, because for our purposes we wanted the 
arguments to said calls to be logged in the access log.  We considered using 
LimitExcept, but upon trying it, I saw that a 403 error was returned, and a 
search of the bug database showed that you had no plans to fix this.  I don't 
understand your reasoning on that, but anyway.  We needed a 405 error, and the 
only other way to do it was to test it in the CGI code itself, which was ugly. 
 
So, in true open source style, I hacked on mod_cgi and made a patch.  This 
creates a new config directive called DisallowPost - it's an ACCESS_CONF 
directive.  It can be either On or Off.  If it's on and you try to access a 
location protected by it with POST, you'll get a 405 method not allowed, which 
is exactly the behavior we needed. 
 
The patch line numbers will be off because I also applied the patch that fixes 
the #exec cmd problem.  However, other than that, it should apply to stock 
2.0.54. 

--Russell

-- 

Russell Miller - rmiller@duskglow.com - Agoura Hills, CA

[prev in list] [next in list] [prev in thread] [next in thread]