On 02/14/2011 01:23 AM, Graham Leggett wrote: > On 14 Feb 2011, at 2:15 AM, Paul Querna wrote: > >> It does a single request to the backend, but doesn't _invalidate_ the >> existing cache, which would cause a flood of other, non-attacker >> clients to come in. > > I think that would be the origin of Roy saying that we should only > invalidate if the result is 2xx. Someone trying methods in the hope they > would do something would get a 405 Method Not Supported.
Not sure about Roy, but I guess Pauls fear was more about POST which could be handled by the backend in the same way as GET and hence would provide an easy remote way to remove cache entries. Of course one could argue that the backend application should be fixed then, but I guess we have many examples where the flexibility of httpd makes it possible to work around bugs in backends where they are not fixable for whatever reason :-). Regards RĂ¼diger
