On Jan 29, 2010, at 10:46 AM, Stefan Fritsch wrote:
> On Friday 29 January 2010, Plüm, Rüdiger, VF-Group wrote:
>> Thanks for clarification. I guess I understand your intension
>> better now. So basicly you want those providers that do not
>> implement GET by themselves to enforce the usage of the default
>> handler, correct?
>> Mind to sent a patch to the list for better review?
>
> Exactly. The patch below works with 2.2 (haven't tested with trunk
> due to lack of mod_php).
>
> BTW, I found PR 13025, which seems to suggest that being able to mix
> script execution and DAV on the same URL is a feature. I am still for
> removing this 'feature' in trunk, though. But I would be against a
> backport to 2.2.x.
>
>
> --- a/modules/dav/main/mod_dav.c
> +++ b/modules/dav/main/mod_dav.c
> @@ -4803,12 +4803,13 @@ static int dav_fixups(request_rec *r)
>
> /*
> * If the repository hasn't indicated that it will handle the
> - * GET method, then just punt.
> - *
> - * ### this isn't quite right... taking over the response can break
> - * ### things like mod_negotiation. need to look into this some more.
> + * GET method, then we let the default handler do it. Set the handler
> + * explicitly to ensure that no other handler takes the request.
> + * We don't care about directories, though.
> */
> if (!conf->provider->repos->handle_get) {
> + if (r->finfo.filetype != APR_DIR)
> + r->handler = "none";
> return DECLINED;
> }
> }
It looks to me like that would introduce a security hole for existing
configs that expect a handler to run on GET (PHP/CGI scripts that are
authorable via DAV). -1 if so.
....Roy
