On Jan 29, 2010, at 10:46 AM, Stefan Fritsch wrote: > On Friday 29 January 2010, Plüm, Rüdiger, VF-Group wrote: >> Thanks for clarification. I guess I understand your intension >> better now. So basicly you want those providers that do not >> implement GET by themselves to enforce the usage of the default >> handler, correct? >> Mind to sent a patch to the list for better review? > > Exactly. The patch below works with 2.2 (haven't tested with trunk > due to lack of mod_php). > > BTW, I found PR 13025, which seems to suggest that being able to mix > script execution and DAV on the same URL is a feature. I am still for > removing this 'feature' in trunk, though. But I would be against a > backport to 2.2.x. > > > --- a/modules/dav/main/mod_dav.c > +++ b/modules/dav/main/mod_dav.c > @@ -4803,12 +4803,13 @@ static int dav_fixups(request_rec *r) > > /* > * If the repository hasn't indicated that it will handle the > - * GET method, then just punt. > - * > - * ### this isn't quite right... taking over the response can break > - * ### things like mod_negotiation. need to look into this some more. > + * GET method, then we let the default handler do it. Set the handler > + * explicitly to ensure that no other handler takes the request. > + * We don't care about directories, though. > */ > if (!conf->provider->repos->handle_get) { > + if (r->finfo.filetype != APR_DIR) > + r->handler = "none"; > return DECLINED; > } > }
It looks to me like that would introduce a security hole for existing configs that expect a handler to run on GET (PHP/CGI scripts that are authorable via DAV). -1 if so. ....Roy