You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/07/31 16:41:05 UTC

DO NOT REPLY [Bug 22023] New: - unsafe methods vs request URIs with fragment id

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22023>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22023

unsafe methods vs request URIs with fragment id

           Summary: unsafe methods vs request URIs with fragment id
           Product: Apache httpd-2.0
           Version: 2.0.46
          Platform: All
        OS/Version: Other
            Status: NEW
          Severity: Major
          Priority: Other
         Component: mod_dav
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: julian.reschke@gmx.de


Unsafe methods (such as DELETE) should reject requests where the request URI
contains a fragment identifier. Otherwise, request by broken clients such as MS
Webfolder Client version 10.145.3914.17 may cause unintentional removals of
whole collections.

Example:

- take resource "a/%23b" and DELETE it with the aforementioned client
- client submits DELETE to "a/#"
- fragment id get stripped, DELETE gets applied to the parent collection

(I'd personally prefer httpd to reject all requests with illegal request URIs,
but I'm not sure that the removal of what seems to be a workaround for broken
clients is acceptable)

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org