rst at ai
Mar 13, 1995, 10:13 AM
Post #2 of 4
(153 views)
Permalink
|
|
Re: What the heck is this?!? : re: put and delete functions in httpd
[In reply to]
|
|
What you're looking at there is a consequence of the way that the NCSA
httpd does access control --- it allows separate access control
directives for each supported HTTP method. So, in order to limit
*all* access to a directory, you really need to say:
<Limit GET POST PUT DELETE>
Unfortunately, almost no one actually does this, perhaps because all
of the examples in the server docs just use
<Limit GET>
which leaves POST unrestricted. The consequences of this aren't
*quite* as severe as they look --- DELETE and PUT are handled by just
looking for a CGI script to hand them off to, and CGI scripts which
actually handle DELETE and PUT requests as a non-malicious client
might have intended them are somewhat rare. However, this does leave
POSTs unrestricted, so it sure isn't good.
Given the installed base, the best thing to do about this might be to
hack http_access.c so that all other methods are subjected to security
checks at least as stringent as those applying to GETs by default,
whether additional <Limit> directives are specified for those methods
or not.
rst
|
