<Copying security, because this is a big issue>
On Sun, 29 Sep 2002, Jerry Baker wrote: > Ryan Bloom says: > > There is already a bug filed. It works if you don't have DAV enabled for > > that CGI location. I am hoping to look at that today. > > Is there a way to at least stop Apache from giving the script source to > the viewer without disabling CGI or DAV? According to my reading of the code, no it isn't possible. However, I have just commmitted a fix for this. I am hoping that one of the DAV experts will review my fix for correctness, but it is what we did until a few weeks ago. However, from my reading of the dav_module, I have a major concern. The module is currently trying to handle every type of request. But, that is wrong, it isn't how modules are supposed to behave. Mod_dav should only be setting the handler field for requests that it knows it can serve correctly. Because 2.0.42 always displays script source for CGI scripts that use POST, I believe that we should put that notice on our main site, and stop suggesting 2.0.42 for production use. Mod_dav developers, please check my commit. Ryan _______________________________________________________________________________ Ryan Bloom [EMAIL PROTECTED] 550 Jean St Oakland CA 94610 -------------------------------------------------------------------------------