You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Marc Slemko <ma...@worldgate.com> on 1998/07/04 01:01:36 UTC
Re: cvs commit: apache-1.3/src/main http_core.c
On 3 Jul 1998 coar@hyperreal.org wrote:
> coar 98/07/03 13:06:02
>
> Modified: src CHANGES
> src/main http_core.c
> Log:
> Fix <Limit> parsing; "GET" and "get" are distinct methods.
Note that this introduces a security problem in that many users use
something other than the uppercase method name in their config files.
Previously it worked; this will magically stop authentication from being
required for them. That is bad.
Re: cvs commit: apache-1.3/src/main http_core.c
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Marc Slemko wrote:
>
> Note that this introduces a security problem in that many users use
> something other than the uppercase method name in their config files.
> Previously it worked; this will magically stop authentication from being
> required for them. That is bad.
Not as bad as you might think; the bad method names will cause
configuration errors and show up in the error log. If in the
server conf files, the server won't even start.
I'm making a note in the upgrading* document regardless, and
I think this thing in particular should be mentioned in the 1.3.1
announcement message.
Being conditionally bad or knowingly incorrect.. I prefer the
former, I think.
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>