fielding 99/02/09 12:20:27
Modified: . STATUS htdocs/manual/mod core.html directives.html src CHANGES src/main http_core.c Log: Added a <LimitExcept method ...> sectioning directive that allows the user to assign authentication control to any HTTP method that is *not* given in the argument list; i.e., the logical negation of the <Limit> directive. This is particularly useful for controlling access on methods unknown to the Apache core, but perhaps known by some module or CGI script. Submitted by: Roy Fielding and Tony Finch <[EMAIL PROTECTED]> Revision Changes Path 1.617 +1 -13 apache-1.3/STATUS Index: STATUS =================================================================== RCS file: /home/cvs/apache-1.3/STATUS,v retrieving revision 1.616 retrieving revision 1.617 diff -u -r1.616 -r1.617 --- STATUS 1999/02/09 18:00:18 1.616 +++ STATUS 1999/02/09 20:20:22 1.617 @@ -1,5 +1,5 @@ 1.3 STATUS: - Last modified at [$Date: 1999/02/09 18:00:18 $] + Last modified at [$Date: 1999/02/09 20:20:22 $] Release: @@ -60,18 +60,6 @@ * John Bley's [PATCH] malloc checks MID: <[EMAIL PROTECTED]> Status: Jim -0 (maybe the messages could be more detailed?) - - * Tony Finch's [PATCH] <LimitExcept> - Message-ID: <[EMAIL PROTECTED]> - Status: Roy [looks good, but we might be able to do better by using - the same function as Limit and just checking cmd] - - * Dean's [PATCH] etag continued (take 2) - Adds strong comparison functions to other checks. - MID: <[EMAIL PROTECTED]> - Status: Roy needs to fix ap_find_opaque_token() because it doesn't - do the right HTTP parsing anyway, so this will probably be - folded in at the same time. * Cliff's [PATCH] 500 errors not giving error-notes (related to PR #3455) Message-ID: <[EMAIL PROTECTED]> 1.145 +32 -1 apache-1.3/htdocs/manual/mod/core.html Index: core.html =================================================================== RCS file: /home/cvs/apache-1.3/htdocs/manual/mod/core.html,v retrieving revision 1.144 retrieving revision 1.145 diff -u -r1.144 -r1.145 --- core.html 1999/02/06 11:00:57 1.144 +++ core.html 1999/02/09 20:20:23 1.145 @@ -49,6 +49,7 @@ <LI><A HREF="#keepalive">KeepAlive</A> <LI><A HREF="#keepalivetimeout">KeepAliveTimeout</A> <LI><A HREF="#limit"><Limit></A> +<LI><A HREF="#limitexcept"><LimitExcept></A> <LI><A HREF="#limitrequestbody">LimitRequestBody</A> <LI><A HREF="#limitrequestfields">LimitRequestFields</A> <LI><A HREF="#limitrequestfieldsize">LimitRequestFieldsize</A> @@ -659,7 +660,8 @@ The directory sections typically occur in the access.conf file, but they may appear in any configuration file. <Directory> directives cannot -nest, and cannot appear in a <A HREF="#limit"><Limit></A> section. +nest, and cannot appear in a <A HREF="#limit"><Limit></A> or +<A HREF="#limitexcept"><LimitExcept></A> section. <P> <STRONG>See also</STRONG>: <A HREF="../sections.html">How Directory, @@ -1337,6 +1339,35 @@ If GET is used it will also restrict HEAD requests. <STRONG>If you wish to limit all methods, do not include any <Limit> directive at all.</STRONG> + +<P><HR> + +<H2><A NAME="limitexcept"><LimitExcept> directive</A></H2> +<!--%plaintext <?INDEX {\tt LimitExcept} section directive> --> +<A + HREF="directive-dict.html#Syntax" + REL="Help" +><STRONG>Syntax:</STRONG></A> + <LimitExcept <EM>method method</EM> ... > ... </LimitExcept><BR> +<A + HREF="directive-dict.html#Context" + REL="Help" +><STRONG>Context:</STRONG></A> any<BR> +<A + HREF="directive-dict.html#Status" + REL="Help" +><STRONG>Status:</STRONG></A> core<BR> +<A + HREF="directive-dict.html#Compatibility" + REL="Help" +><STRONG>Compatibility:</STRONG></A> Available in Apache 1.3.5 and later<P> + +<LimitExcept> and </LimitExcept> are used to enclose a group of +access control directives which will then apply to any HTTP access method +<STRONG>not</STRONG> listed in the arguments; i.e., it is the opposite of a +<A HREF="#limit"><Limit></A> section and can be used to control both +standard and nonstandard/unrecognized methods. See the documentation for +<A HREF="#limit"><Limit></A> for more details. <P><HR> 1.55 +1 -0 apache-1.3/htdocs/manual/mod/directives.html Index: directives.html =================================================================== RCS file: /home/cvs/apache-1.3/htdocs/manual/mod/directives.html,v retrieving revision 1.54 retrieving revision 1.55 diff -u -r1.54 -r1.55 --- directives.html 1999/02/06 11:00:57 1.54 +++ directives.html 1999/02/09 20:20:23 1.55 @@ -123,6 +123,7 @@ <LI><A HREF="core.html#keepalivetimeout">KeepAliveTimeout</A> <LI><A HREF="mod_negotiation.html#languagepriority">LanguagePriority</A> <LI><A HREF="core.html#limit"><Limit></A> +<LI><A HREF="core.html#limitexcept"><LimitExcept></A> <LI><A HREF="core.html#limitrequestbody">LimitRequestBody</A> <LI><A HREF="core.html#limitrequestfields">LimitRequestFields</A> <LI><A HREF="core.html#limitrequestfieldsize">LimitRequestFieldsize</A> 1.1245 +7 -0 apache-1.3/src/CHANGES Index: CHANGES =================================================================== RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1244 retrieving revision 1.1245 diff -u -r1.1244 -r1.1245 --- CHANGES 1999/02/09 18:00:22 1.1244 +++ CHANGES 1999/02/09 20:20:25 1.1245 @@ -1,5 +1,12 @@ Changes with Apache 1.3.5 + *) Added a <LimitExcept method ...> sectioning directive that allows + the user to assign authentication control to any HTTP method that + is *not* given in the argument list; i.e., the logical negation + of the <Limit> directive. This is particularly useful for controlling + access on methods unknown to the Apache core, but perhaps known by + some module or CGI script. [Roy Fielding, Tony Finch] + *) Prevent apachectl from complaining if the PIDFILE exists but does not contain a process id, as might occur if the server is being rapidly restarted. [Wilfredo Sanchez] 1.249 +17 -6 apache-1.3/src/main/http_core.c Index: http_core.c =================================================================== RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v retrieving revision 1.248 retrieving revision 1.249 diff -u -r1.248 -r1.249 --- http_core.c 1999/02/06 03:02:11 1.248 +++ http_core.c 1999/02/09 20:20:26 1.249 @@ -1241,6 +1241,7 @@ const char *arg) { const char *limited_methods = ap_getword(cmd->pool, &arg, '>'); + void *tog = cmd->cmd->cmd_data; int limited = 0; const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT); @@ -1249,7 +1250,7 @@ } /* XXX: NB: Currently, we have no way of checking - * whether <Limit> sections are closed properly. + * whether <Limit> or <LimitExcept> sections are closed properly. * (If we would add a srm_command_loop() here we might...) */ @@ -1257,26 +1258,31 @@ char *method = ap_getword_conf(cmd->pool, &limited_methods); int methnum = ap_method_number_of(method); - if (methnum == M_TRACE) { + if (methnum == M_TRACE && !tog) { return "TRACE cannot be controlled by <Limit>"; } else if (methnum == M_INVALID) { - return ap_pstrcat(cmd->pool, "unknown method \"", - method, "\" in <Limit>", NULL); + return ap_pstrcat(cmd->pool, "unknown method \"", method, + "\" in <Limit", tog ? "Except>" : ">", NULL); } else { limited |= (1 << methnum); } } - cmd->limited = limited; + /* Killing two features with one function, + * if (tog == NULL) <Limit>, else <LimitExcept> + */ + cmd->limited = tog ? ~limited : limited; return NULL; } static const char *endlimit_section(cmd_parms *cmd, void *dummy, void *dummy2) { + void *tog = cmd->cmd->cmd_data; + if (cmd->limited == -1) { - return "</Limit> unexpected"; + return tog ? "</LimitExcept> unexpected" : "</Limit> unexpected"; } cmd->limited = -1; @@ -2675,6 +2681,11 @@ "authentication directives when accessed using specified HTTP methods" }, { "</Limit>", endlimit_section, NULL, OR_ALL, NO_ARGS, "Marks end of <Limit>" }, +{ "<LimitExcept", ap_limit_section, (void*)1, OR_ALL, RAW_ARGS, + "Container for authentication directives to be applied when any HTTP " + "method other than those specified is used to access the resource" }, +{ "</LimitExcept>", endlimit_section, (void*)1, OR_ALL, NO_ARGS, + "Marks end of <LimitExcept>" }, { "<IfModule", start_ifmod, NULL, OR_ALL, TAKE1, "Container for directives based on existance of specified modules" }, { end_ifmodule_section, end_ifmod, NULL, OR_ALL, NO_ARGS,