Output filters cannot handle methods -- only input filters can do that. It sounds to me like you guys are just arguing past each other -- the architecture is broken, not the individual modules. Just fix it.
Greg is right -- the default handler is incapable of supporting any method other than GET, HEAD, and OPTIONS, and must error if it sees anything else. OTOH, mod_dav should not be monkeying with the content hook if it isn't the content handler. If you don't fix both problems then the security issue will resurface at a later time. ....Roy
