On Dec 16, 2007 8:33 PM, bubblboy <[EMAIL PROTECTED]> wrote: > > David Terrell wrote: > > On Fri, Dec 14, 2007 at 03:14:48PM +1300, Ben Hoyt wrote: > >>> Thats dangerous. But isn't that the duty of webserver? > >>> > >> Yeah, I also wondered whether Apache would filter it out. But it doesn't, > >> and on second thoughts, I don't think it is the duty of the web server, > >> because there are loads of semi-custom HTTP methods, like the ones that > >> webdav/svn uses, and people sometimes use their own custom ones, too. > >> Here's > >> a list of HTTP methods I found: > >> http://annevankesteren.nl/2007/10/http-methods > >> > >> But I figure most people won't be using PROPFIND with web.py. And if they > >> want to, they can always add it to valid_methods. > > > > > > Option one: Apache limit by method. > > Option two: by convention or standard, all HTTP methods are all caps. Why > > not simply filter out all methods that doen't start with a capital letter? > > (or methods that are all capitals). > > That just reduces the scope of the problem instead of fixing it. I > favour Ben's solution on this one. > > Also; web.py is a server iself, too. So it should still take care of > this, in the end. (Assuming that server also allows these weird methods.)
we are planning to release web.py 0.23 soon with this fix and many others. I have created a bzr branch for 0.23 release at http://webpy.org/bzr/webpy-0.23 and added a fix for this bug. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/webpy?hl=en -~----------~----~----~----~------~----~------~--~---
