Re: cvs commit: apache-1.3/src/main http_core.c

[Marc Slemko <ma...@worldgate.com>]

On 3 Jul 1998 coar@hyperreal.org wrote:

> coar        98/07/03 13:06:02
> 
>   Modified:    src      CHANGES
>                src/main http_core.c
>   Log:
>   	Fix <Limit> parsing; "GET" and "get" are distinct methods.

Note that this introduces a security problem in that many users use
something other than the uppercase method name in their config files.
Previously it worked; this will magically stop authentication from being
required for them.  That is bad.

Re: cvs commit: apache-1.3/src/main http_core.c

[Rodent of Unusual Size <Ke...@Golux.Com>]

Marc Slemko wrote:
> 
> Note that this introduces a security problem in that many users use
> something other than the uppercase method name in their config files.
> Previously it worked; this will magically stop authentication from being
> required for them.  That is bad.

Not as bad as you might think; the bad method names will cause
configuration errors and show up in the error log.  If in the
server conf files, the server won't even start.

I'm making a note in the upgrading* document regardless, and
I think this thing in particular should be mentioned in the 1.3.1
announcement message.

Being conditionally bad or knowingly incorrect.. I prefer the
former, I think.

#ken	P-)}

Ken Coar                    <http://Web.Golux.Com/coar/>
Apache Group member         <http://www.apache.org/>
"Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>