DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22023>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22023 unsafe methods vs request URIs with fragment id Summary: unsafe methods vs request URIs with fragment id Product: Apache httpd-2.0 Version: 2.0.46 Platform: All OS/Version: Other Status: NEW Severity: Major Priority: Other Component: mod_dav AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] Unsafe methods (such as DELETE) should reject requests where the request URI contains a fragment identifier. Otherwise, request by broken clients such as MS Webfolder Client version 10.145.3914.17 may cause unintentional removals of whole collections. Example: - take resource "a/%23b" and DELETE it with the aforementioned client - client submits DELETE to "a/#" - fragment id get stripped, DELETE gets applied to the parent collection (I'd personally prefer httpd to reject all requests with illegal request URIs, but I'm not sure that the removal of what seems to be a workaround for broken clients is acceptable) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
