Can anybody explain why ap_set_sub_req_protocol does
rnew->method = "GET";
rnew->method_number = M_GET;
instead of
rnew->method = r->method;
rnew->method_number = r->method_number;
? The consequence is that functions like negotiation
sub_req = ap_sub_req_lookup_file(dirent.name, r, NULL);
check auth on the wrong method. You can check this by POSTing to
foo and having a limit on POST for foo.php3 (as opposed to the
whole directory). A quick way to check is to set a breakpoint in
ap_set_sub_req_protocol and
telnet localhost 80
POST /Overview HTTP/1.0
Content-Length: 5
abcd
Any calls to the auth modules will have a method of GET despite
the POST action they will eventually execute.
All auth modules and the like could check for this:
int method = r->main ? r->main->method_number : r->method_number;
but it seems better to have the sub request default to the method
of the request that inspired it. There may be some modules that
may count on the default behavior, like mod_include, but I think
they should specifically make the new method be a GET as they are
not duplicating the parent request's behaviour.
--
-eric
([EMAIL PROTECTED])
Feel free to forward this message to any list for any purpose other than
email address distribution.
