fielding 99/02/09 12:20:27
Modified: . STATUS
htdocs/manual/mod core.html directives.html
src CHANGES
src/main http_core.c
Log:
Added a <LimitExcept method ...> sectioning directive that allows
the user to assign authentication control to any HTTP method that
is *not* given in the argument list; i.e., the logical negation
of the <Limit> directive. This is particularly useful for controlling
access on methods unknown to the Apache core, but perhaps known by
some module or CGI script.
Submitted by: Roy Fielding and Tony Finch <[EMAIL PROTECTED]>
Revision Changes Path
1.617 +1 -13 apache-1.3/STATUS
Index: STATUS
===================================================================
RCS file: /home/cvs/apache-1.3/STATUS,v
retrieving revision 1.616
retrieving revision 1.617
diff -u -r1.616 -r1.617
--- STATUS 1999/02/09 18:00:18 1.616
+++ STATUS 1999/02/09 20:20:22 1.617
@@ -1,5 +1,5 @@
1.3 STATUS:
- Last modified at [$Date: 1999/02/09 18:00:18 $]
+ Last modified at [$Date: 1999/02/09 20:20:22 $]
Release:
@@ -60,18 +60,6 @@
* John Bley's [PATCH] malloc checks
MID: <[EMAIL PROTECTED]>
Status: Jim -0 (maybe the messages could be more detailed?)
-
- * Tony Finch's [PATCH] <LimitExcept>
- Message-ID: <[EMAIL PROTECTED]>
- Status: Roy [looks good, but we might be able to do better by using
- the same function as Limit and just checking cmd]
-
- * Dean's [PATCH] etag continued (take 2)
- Adds strong comparison functions to other checks.
- MID: <[EMAIL PROTECTED]>
- Status: Roy needs to fix ap_find_opaque_token() because it doesn't
- do the right HTTP parsing anyway, so this will probably be
- folded in at the same time.
* Cliff's [PATCH] 500 errors not giving error-notes (related to PR #3455)
Message-ID: <[EMAIL PROTECTED]>
1.145 +32 -1 apache-1.3/htdocs/manual/mod/core.html
Index: core.html
===================================================================
RCS file: /home/cvs/apache-1.3/htdocs/manual/mod/core.html,v
retrieving revision 1.144
retrieving revision 1.145
diff -u -r1.144 -r1.145
--- core.html 1999/02/06 11:00:57 1.144
+++ core.html 1999/02/09 20:20:23 1.145
@@ -49,6 +49,7 @@
<LI><A HREF="#keepalive">KeepAlive</A>
<LI><A HREF="#keepalivetimeout">KeepAliveTimeout</A>
<LI><A HREF="#limit"><Limit></A>
+<LI><A HREF="#limitexcept"><LimitExcept></A>
<LI><A HREF="#limitrequestbody">LimitRequestBody</A>
<LI><A HREF="#limitrequestfields">LimitRequestFields</A>
<LI><A HREF="#limitrequestfieldsize">LimitRequestFieldsize</A>
@@ -659,7 +660,8 @@
The directory sections typically occur in the access.conf file, but they
may appear in any configuration file. <Directory> directives cannot
-nest, and cannot appear in a <A HREF="#limit"><Limit></A> section.
+nest, and cannot appear in a <A HREF="#limit"><Limit></A> or
+<A HREF="#limitexcept"><LimitExcept></A> section.
<P>
<STRONG>See also</STRONG>: <A HREF="../sections.html">How Directory,
@@ -1337,6 +1339,35 @@
If GET is used it will also restrict HEAD requests.
<STRONG>If you wish to limit all methods, do not include any
<Limit> directive at all.</STRONG>
+
+<P><HR>
+
+<H2><A NAME="limitexcept"><LimitExcept> directive</A></H2>
+<!--%plaintext <?INDEX {\tt LimitExcept} section directive> -->
+<A
+ HREF="directive-dict.html#Syntax"
+ REL="Help"
+><STRONG>Syntax:</STRONG></A>
+ <LimitExcept <EM>method method</EM> ... > ... </LimitExcept><BR>
+<A
+ HREF="directive-dict.html#Context"
+ REL="Help"
+><STRONG>Context:</STRONG></A> any<BR>
+<A
+ HREF="directive-dict.html#Status"
+ REL="Help"
+><STRONG>Status:</STRONG></A> core<BR>
+<A
+ HREF="directive-dict.html#Compatibility"
+ REL="Help"
+><STRONG>Compatibility:</STRONG></A> Available in Apache 1.3.5 and later<P>
+
+<LimitExcept> and </LimitExcept> are used to enclose a group of
+access control directives which will then apply to any HTTP access method
+<STRONG>not</STRONG> listed in the arguments; i.e., it is the opposite of a
+<A HREF="#limit"><Limit></A> section and can be used to control both
+standard and nonstandard/unrecognized methods. See the documentation for
+<A HREF="#limit"><Limit></A> for more details.
<P><HR>
1.55 +1 -0 apache-1.3/htdocs/manual/mod/directives.html
Index: directives.html
===================================================================
RCS file: /home/cvs/apache-1.3/htdocs/manual/mod/directives.html,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- directives.html 1999/02/06 11:00:57 1.54
+++ directives.html 1999/02/09 20:20:23 1.55
@@ -123,6 +123,7 @@
<LI><A HREF="core.html#keepalivetimeout">KeepAliveTimeout</A>
<LI><A HREF="mod_negotiation.html#languagepriority">LanguagePriority</A>
<LI><A HREF="core.html#limit"><Limit></A>
+<LI><A HREF="core.html#limitexcept"><LimitExcept></A>
<LI><A HREF="core.html#limitrequestbody">LimitRequestBody</A>
<LI><A HREF="core.html#limitrequestfields">LimitRequestFields</A>
<LI><A HREF="core.html#limitrequestfieldsize">LimitRequestFieldsize</A>
1.1245 +7 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1244
retrieving revision 1.1245
diff -u -r1.1244 -r1.1245
--- CHANGES 1999/02/09 18:00:22 1.1244
+++ CHANGES 1999/02/09 20:20:25 1.1245
@@ -1,5 +1,12 @@
Changes with Apache 1.3.5
+ *) Added a <LimitExcept method ...> sectioning directive that allows
+ the user to assign authentication control to any HTTP method that
+ is *not* given in the argument list; i.e., the logical negation
+ of the <Limit> directive. This is particularly useful for controlling
+ access on methods unknown to the Apache core, but perhaps known by
+ some module or CGI script. [Roy Fielding, Tony Finch]
+
*) Prevent apachectl from complaining if the PIDFILE exists but
does not contain a process id, as might occur if the server is
being rapidly restarted. [Wilfredo Sanchez]
1.249 +17 -6 apache-1.3/src/main/http_core.c
Index: http_core.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
retrieving revision 1.248
retrieving revision 1.249
diff -u -r1.248 -r1.249
--- http_core.c 1999/02/06 03:02:11 1.248
+++ http_core.c 1999/02/09 20:20:26 1.249
@@ -1241,6 +1241,7 @@
const char *arg)
{
const char *limited_methods = ap_getword(cmd->pool, &arg, '>');
+ void *tog = cmd->cmd->cmd_data;
int limited = 0;
const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
@@ -1249,7 +1250,7 @@
}
/* XXX: NB: Currently, we have no way of checking
- * whether <Limit> sections are closed properly.
+ * whether <Limit> or <LimitExcept> sections are closed properly.
* (If we would add a srm_command_loop() here we might...)
*/
@@ -1257,26 +1258,31 @@
char *method = ap_getword_conf(cmd->pool, &limited_methods);
int methnum = ap_method_number_of(method);
- if (methnum == M_TRACE) {
+ if (methnum == M_TRACE && !tog) {
return "TRACE cannot be controlled by <Limit>";
}
else if (methnum == M_INVALID) {
- return ap_pstrcat(cmd->pool, "unknown method \"",
- method, "\" in <Limit>", NULL);
+ return ap_pstrcat(cmd->pool, "unknown method \"", method,
+ "\" in <Limit", tog ? "Except>" : ">", NULL);
}
else {
limited |= (1 << methnum);
}
}
- cmd->limited = limited;
+ /* Killing two features with one function,
+ * if (tog == NULL) <Limit>, else <LimitExcept>
+ */
+ cmd->limited = tog ? ~limited : limited;
return NULL;
}
static const char *endlimit_section(cmd_parms *cmd, void *dummy, void
*dummy2)
{
+ void *tog = cmd->cmd->cmd_data;
+
if (cmd->limited == -1) {
- return "</Limit> unexpected";
+ return tog ? "</LimitExcept> unexpected" : "</Limit> unexpected";
}
cmd->limited = -1;
@@ -2675,6 +2681,11 @@
"authentication directives when accessed using specified HTTP methods" },
{ "</Limit>", endlimit_section, NULL, OR_ALL, NO_ARGS,
"Marks end of <Limit>" },
+{ "<LimitExcept", ap_limit_section, (void*)1, OR_ALL, RAW_ARGS,
+ "Container for authentication directives to be applied when any HTTP "
+ "method other than those specified is used to access the resource" },
+{ "</LimitExcept>", endlimit_section, (void*)1, OR_ALL, NO_ARGS,
+ "Marks end of <LimitExcept>" },
{ "<IfModule", start_ifmod, NULL, OR_ALL, TAKE1,
"Container for directives based on existance of specified modules" },
{ end_ifmodule_section, end_ifmod, NULL, OR_ALL, NO_ARGS,
