You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/07/31 16:41:05 UTC
DO NOT REPLY [Bug 22023] New: -
unsafe methods vs request URIs with fragment id
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22023>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22023
unsafe methods vs request URIs with fragment id
Summary: unsafe methods vs request URIs with fragment id
Product: Apache httpd-2.0
Version: 2.0.46
Platform: All
OS/Version: Other
Status: NEW
Severity: Major
Priority: Other
Component: mod_dav
AssignedTo: bugs@httpd.apache.org
ReportedBy: julian.reschke@gmx.de
Unsafe methods (such as DELETE) should reject requests where the request URI
contains a fragment identifier. Otherwise, request by broken clients such as MS
Webfolder Client version 10.145.3914.17 may cause unintentional removals of
whole collections.
Example:
- take resource "a/%23b" and DELETE it with the aforementioned client
- client submits DELETE to "a/#"
- fragment id get stripped, DELETE gets applied to the parent collection
(I'd personally prefer httpd to reject all requests with illegal request URIs,
but I'm not sure that the removal of what seems to be a workaround for broken
clients is acceptable)
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org