You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Eric Prud'hommeaux <er...@w3.org> on 2001/09/05 14:17:15 UTC
sub requests are all "GET"s
Can anybody explain why ap_set_sub_req_protocol does
rnew->method = "GET";
rnew->method_number = M_GET;
instead of
rnew->method = r->method;
rnew->method_number = r->method_number;
? The consequence is that functions like negotiation
sub_req = ap_sub_req_lookup_file(dirent.name, r, NULL);
check auth on the wrong method. You can check this by POSTing to
foo and having a limit on POST for foo.php3 (as opposed to the
whole directory). A quick way to check is to set a breakpoint in
ap_set_sub_req_protocol and
telnet localhost 80
POST /Overview HTTP/1.0
Content-Length: 5
abcd
Any calls to the auth modules will have a method of GET despite
the POST action they will eventually execute.
All auth modules and the like could check for this:
int method = r->main ? r->main->method_number : r->method_number;
but it seems better to have the sub request default to the method
of the request that inspired it. There may be some modules that
may count on the default behavior, like mod_include, but I think
they should specifically make the new method be a GET as they are
not duplicating the parent request's behaviour.
--
-eric
(eric@w3.org)
Feel free to forward this message to any list for any purpose other than
email address distribution.
Re: sub requests are all "GET"s
Posted by Eric Prud'hommeaux <er...@w3.org>.
On Wed, Sep 05, 2001 at 05:46:15AM -0700, Greg Stein wrote:
> Take a look at ap_sub_req_method_uri. That might do the trick for you.
>
> I don't think there is a similar one for files right now.
Thanks. I took a look at ap_sub_req_method_uri and am still whining:
ap_sub_req_method_uri takes a method string argument and returns a sub
req with that method. All functions that could be creating POST, PUT,
etc requests should perhaps use it like this:
rnew = ap_sub_req_method_uri(r->method, newUri, r, somefilter)
but they don't. They all call ap_sub_req_lookup_uri wich hard codes it:
return ap_sub_req_method_uri("GET", new_file, r, next_filter);
I haven't tested, but it seems like a number of the callers of
ap_sub_req_lookup_uri may be subject to the problem I'm addressing
in ap_sub_req_lookup_file.
The problem I'm trying to solve here is to make the ACLs on negotiated
files work out of the box. As it is, if the ACL is only on foo.php3, a
POST to foo will cause, for instance, mod_auth's check_user_access to
check the ACLs for POST on foo and later, after mod_negotiation does
its trick, check the ACLs for GET on foo.php3. If Joe user is allowed
to GET foo.php3 he can sneak around the ACLs by POSTing to foo.
I saw this problem back in 1.3 and figured I'd tackle it if it was
still around in 2.0. I think the solution proposed below will work
but I haven't checked mod_{dav,include,autoindex} to see that they
don't mean to create a sub req that truly is a GET and not whatever
the parent req was.
> On Wed, Sep 05, 2001 at 08:17:15AM -0400, Eric Prud'hommeaux wrote:
> > Can anybody explain why ap_set_sub_req_protocol does
> > rnew->method = "GET";
> > rnew->method_number = M_GET;
> > instead of
> > rnew->method = r->method;
> > rnew->method_number = r->method_number;
> > ? The consequence is that functions like negotiation
> > sub_req = ap_sub_req_lookup_file(dirent.name, r, NULL);
> > check auth on the wrong method. You can check this by POSTing to
> > foo and having a limit on POST for foo.php3 (as opposed to the
> > whole directory). A quick way to check is to set a breakpoint in
> > ap_set_sub_req_protocol and
> > telnet localhost 80
> > POST /Overview HTTP/1.0
> > Content-Length: 5
> >
> > abcd
> > Any calls to the auth modules will have a method of GET despite
> > the POST action they will eventually execute.
> >
> > All auth modules and the like could check for this:
> > int method = r->main ? r->main->method_number : r->method_number;
> > but it seems better to have the sub request default to the method
> > of the request that inspired it. There may be some modules that
> > may count on the default behavior, like mod_include, but I think
> > they should specifically make the new method be a GET as they are
> > not duplicating the parent request's behaviour.
> >
> > --
> > -eric
> >
> > (eric@w3.org)
> > Feel free to forward this message to any list for any purpose other than
> > email address distribution.
>
> --
> Greg Stein, http://www.lyra.org/
--
-eric
(eric@w3.org)
Feel free to forward this message to any list for any purpose other than
email address distribution.
Re: sub requests are all "GET"s
Posted by Greg Stein <gs...@lyra.org>.
Take a look at ap_sub_req_method_uri. That might do the trick for you.
I don't think there is a similar one for files right now.
Cheers,
-g
On Wed, Sep 05, 2001 at 08:17:15AM -0400, Eric Prud'hommeaux wrote:
> Can anybody explain why ap_set_sub_req_protocol does
> rnew->method = "GET";
> rnew->method_number = M_GET;
> instead of
> rnew->method = r->method;
> rnew->method_number = r->method_number;
> ? The consequence is that functions like negotiation
> sub_req = ap_sub_req_lookup_file(dirent.name, r, NULL);
> check auth on the wrong method. You can check this by POSTing to
> foo and having a limit on POST for foo.php3 (as opposed to the
> whole directory). A quick way to check is to set a breakpoint in
> ap_set_sub_req_protocol and
> telnet localhost 80
> POST /Overview HTTP/1.0
> Content-Length: 5
>
> abcd
> Any calls to the auth modules will have a method of GET despite
> the POST action they will eventually execute.
>
> All auth modules and the like could check for this:
> int method = r->main ? r->main->method_number : r->method_number;
> but it seems better to have the sub request default to the method
> of the request that inspired it. There may be some modules that
> may count on the default behavior, like mod_include, but I think
> they should specifically make the new method be a GET as they are
> not duplicating the parent request's behaviour.
>
> --
> -eric
>
> (eric@w3.org)
> Feel free to forward this message to any list for any purpose other than
> email address distribution.
--
Greg Stein, http://www.lyra.org/
Re: sub requests are all "GET"s
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Eric Prud'hommeaux wrote:
>
> Can anybody suggest a reason that sub request methods would _not_
> default to the parent requests method?
Well, consider the situation of the parent request using POST.
When you constructed your subrequest you would need to also
provide an entity-body or explicitly set Content-length to zero.
I suspect one of the original arguments may have been that GET
and HEAD are defined as idempotent and therefore essentially
repeatable and transparent to the effect of the original request.
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"All right everyone! Step away from the glowing hamburger!"
Re: sub requests are all "GET"s
Posted by Eric Prud'hommeaux <er...@w3.org>.
On Wed, Sep 05, 2001 at 09:47:04AM -0700, Rasmus Lerdorf wrote:
> Whoa, deja vu... I could have sworn I fixed something very similar to
> this more than 5 years ago now. In fact, here is the patch for Apache
> 1.2.x:
>
> Fri Mar 1 03:01:06 1996 UTC (66 months, 1 week ago)
> http://cvs.apache.org/viewcvs.cgi/apache-1.2/src/http_request.c.diff?r1=1.2&r2=1.3
>
> Not exactly the same issue, I know, but very close.
>From inspecting the patch:
That patch affected two functions, internal_redirect and die. The die
patch was for responses with a 200 and a custom_response and was
therefor forced to always be a GET. The internal_redirect patch is
pretty much what I want to do with sub requests.
I haven't traced through an internally redirected POST but
mod_rewrite seems to rely on concocted r->filenames
(method://server:port/localpath) rather than the method in a sub
request. I wonder if POST://localhost/foo.php3 will chain
appropriately.
Can anybody suggest a reason that sub request methods would _not_
default to the parent requests method?
> On Wed, 5 Sep 2001, Eric Prud'hommeaux wrote:
>
> > Can anybody explain why ap_set_sub_req_protocol does
> > rnew->method = "GET";
> > rnew->method_number = M_GET;
> > instead of
> > rnew->method = r->method;
> > rnew->method_number = r->method_number;
> > ? The consequence is that functions like negotiation
> > sub_req = ap_sub_req_lookup_file(dirent.name, r, NULL);
> > check auth on the wrong method. You can check this by POSTing to
> > foo and having a limit on POST for foo.php3 (as opposed to the
> > whole directory). A quick way to check is to set a breakpoint in
> > ap_set_sub_req_protocol and
> > telnet localhost 80
> > POST /Overview HTTP/1.0
> > Content-Length: 5
> >
> > abcd
> > Any calls to the auth modules will have a method of GET despite
> > the POST action they will eventually execute.
> >
> > All auth modules and the like could check for this:
> > int method = r->main ? r->main->method_number : r->method_number;
> > but it seems better to have the sub request default to the method
> > of the request that inspired it. There may be some modules that
> > may count on the default behavior, like mod_include, but I think
> > they should specifically make the new method be a GET as they are
> > not duplicating the parent request's behaviour.
> >
> >
--
-eric
(eric@w3.org)
Feel free to forward this message to any list for any purpose other than
email address distribution.
Re: sub requests are all "GET"s
Posted by Rasmus Lerdorf <ra...@apache.org>.
Whoa, deja vu... I could have sworn I fixed something very similar to
this more than 5 years ago now. In fact, here is the patch for Apache
1.2.x:
Fri Mar 1 03:01:06 1996 UTC (66 months, 1 week ago)
http://cvs.apache.org/viewcvs.cgi/apache-1.2/src/http_request.c.diff?r1=1.2&r2=1.3
Not exactly the same issue, I know, but very close.
-Rasmus
On Wed, 5 Sep 2001, Eric Prud'hommeaux wrote:
> Can anybody explain why ap_set_sub_req_protocol does
> rnew->method = "GET";
> rnew->method_number = M_GET;
> instead of
> rnew->method = r->method;
> rnew->method_number = r->method_number;
> ? The consequence is that functions like negotiation
> sub_req = ap_sub_req_lookup_file(dirent.name, r, NULL);
> check auth on the wrong method. You can check this by POSTing to
> foo and having a limit on POST for foo.php3 (as opposed to the
> whole directory). A quick way to check is to set a breakpoint in
> ap_set_sub_req_protocol and
> telnet localhost 80
> POST /Overview HTTP/1.0
> Content-Length: 5
>
> abcd
> Any calls to the auth modules will have a method of GET despite
> the POST action they will eventually execute.
>
> All auth modules and the like could check for this:
> int method = r->main ? r->main->method_number : r->method_number;
> but it seems better to have the sub request default to the method
> of the request that inspired it. There may be some modules that
> may count on the default behavior, like mod_include, but I think
> they should specifically make the new method be a GET as they are
> not duplicating the parent request's behaviour.
>
>