On Wed, Sep 05, 2001 at 05:46:15AM -0700, Greg Stein wrote:
> Take a look at ap_sub_req_method_uri. That might do the trick for you.
>
> I don't think there is a similar one for files right now.
Thanks. I took a look at ap_sub_req_method_uri and am still whining:
ap_sub_req_method_uri takes a method string argument and returns a sub
req with that method. All functions that could be creating POST, PUT,
etc requests should perhaps use it like this:
rnew = ap_sub_req_method_uri(r->method, newUri, r, somefilter)
but they don't. They all call ap_sub_req_lookup_uri wich hard codes it:
return ap_sub_req_method_uri("GET", new_file, r, next_filter);
I haven't tested, but it seems like a number of the callers of
ap_sub_req_lookup_uri may be subject to the problem I'm addressing
in ap_sub_req_lookup_file.
The problem I'm trying to solve here is to make the ACLs on negotiated
files work out of the box. As it is, if the ACL is only on foo.php3, a
POST to foo will cause, for instance, mod_auth's check_user_access to
check the ACLs for POST on foo and later, after mod_negotiation does
its trick, check the ACLs for GET on foo.php3. If Joe user is allowed
to GET foo.php3 he can sneak around the ACLs by POSTing to foo.
I saw this problem back in 1.3 and figured I'd tackle it if it was
still around in 2.0. I think the solution proposed below will work
but I haven't checked mod_{dav,include,autoindex} to see that they
don't mean to create a sub req that truly is a GET and not whatever
the parent req was.
> On Wed, Sep 05, 2001 at 08:17:15AM -0400, Eric Prud'hommeaux wrote:
> > Can anybody explain why ap_set_sub_req_protocol does
> > rnew->method = "GET";
> > rnew->method_number = M_GET;
> > instead of
> > rnew->method = r->method;
> > rnew->method_number = r->method_number;
> > ? The consequence is that functions like negotiation
> > sub_req = ap_sub_req_lookup_file(dirent.name, r, NULL);
> > check auth on the wrong method. You can check this by POSTing to
> > foo and having a limit on POST for foo.php3 (as opposed to the
> > whole directory). A quick way to check is to set a breakpoint in
> > ap_set_sub_req_protocol and
> > telnet localhost 80
> > POST /Overview HTTP/1.0
> > Content-Length: 5
> >
> > abcd
> > Any calls to the auth modules will have a method of GET despite
> > the POST action they will eventually execute.
> >
> > All auth modules and the like could check for this:
> > int method = r->main ? r->main->method_number : r->method_number;
> > but it seems better to have the sub request default to the method
> > of the request that inspired it. There may be some modules that
> > may count on the default behavior, like mod_include, but I think
> > they should specifically make the new method be a GET as they are
> > not duplicating the parent request's behaviour.
> >
> > --
> > -eric
> >
> > ([EMAIL PROTECTED])
> > Feel free to forward this message to any list for any purpose other than
> > email address distribution.
>
> --
> Greg Stein, http://www.lyra.org/
--
-eric
([EMAIL PROTECTED])
Feel free to forward this message to any list for any purpose other than
email address distribution.
