You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/08/26 06:56:15 UTC

DO NOT REPLY [Bug 36368] New: - CGI directive to disallow POST method

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=36368>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=36368

           Summary: CGI directive to disallow POST method
           Product: Apache httpd-2.0
           Version: 2.0.54
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_cgi
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: rmiller@duskglow.com


We wanted to disallow the POST method, because for our purposes we wanted the 
arguments to said calls to be logged in the access log.  We considered using 
LimitExcept, but upon trying it, I saw that a 403 error was returned, and a 
search of the bug database showed that you had no plans to fix this.  I don't 
understand your reasoning on that, but anyway.  We needed a 405 error, and the 
only other way to do it was to test it in the CGI code itself, which was ugly. 
 
So, in true open source style, I hacked on mod_cgi and made a patch.  This 
creates a new config directive called DisallowPost - it's an ACCESS_CONF 
directive.  It can be either On or Off.  If it's on and you try to access a 
location protected by it with POST, you'll get a 405 method not allowed, which 
is exactly the behavior we needed. 
 
The patch line numbers will be off because I also applied the patch that fixes 
the #exec cmd problem.  However, other than that, it should apply to stock 
2.0.54. 
 
--- mod_cgi.c.orig      2005-08-24 22:45:30.000000000 -0700 
+++ mod_cgi.c   2005-08-25 01:05:17.000000000 -0700 
@@ -87,6 +87,22 @@ 
     apr_size_t  bufbytes; 
 } cgi_server_conf; 
 
+typedef struct { 
+    int         disallowpost; 
+} cgi_dir_conf; 
+ 
+static void *create_dir_config(apr_pool_t *p, server_rec *s) 
+{ 
+ 
+    cgi_dir_conf *conf; 
+ 
+    conf = (cgi_dir_conf *)apr_pcalloc(p, sizeof(*conf)); 
+ 
+    conf->disallowpost = 0; 
+ 
+    return conf; 
+} 
+ 
 static void *create_cgi_config(apr_pool_t *p, server_rec *s) 
 { 
     cgi_server_conf *c = 
@@ -107,6 +123,22 @@ 
     return overrides->logname ? overrides : base; 
 } 
 
+static const char *add_disallow_post(cmd_parms *cmd, void *config, const char 
*arg) 
+{ 
+    cgi_dir_conf *conf = (cgi_dir_conf *)config; 
+ 
+    if (!strcasecmp(arg, "off")) { 
+        conf->disallowpost = 0; 
+    } 
+    else if (!strcasecmp(arg, "on")) { 
+        conf->disallowpost = 1; 
+    } else { 
+       return "DisallowPost should be either \"on\" or \"off\"."; 
+    } 
+ 
+    return NULL; 
+} 
+ 
 static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg) 
 { 
     server_rec *s = cmd->server; 
@@ -153,6 +185,8 @@ 
      "the maximum length (in bytes) of the script debug log"), 
 AP_INIT_TAKE1("ScriptLogBuffer", set_scriptlog_buffer, NULL, RSRC_CONF, 
      "the maximum size (in bytes) to record of a POST request"), 
+AP_INIT_TAKE1("DisallowPost", add_disallow_post, NULL, ACCESS_CONF, 
+     "disallow POST methods in a directory"), 
     {NULL} 
 }; 
 
@@ -736,6 +770,7 @@ 
     apr_status_t rv; 
     cgi_exec_info_t e_info; 
     conn_rec *c = r->connection; 
+    cgi_dir_conf *dconf; 
 
     if(strcmp(r->handler, CGI_MAGIC_TYPE) && strcmp(r->handler, "cgi-script")) 
         return DECLINED; 
@@ -751,6 +786,13 @@ 
         return DECLINED; 
     } 
 
+    dconf = (cgi_dir_conf *)ap_get_module_config(r->per_dir_config, 
+           &cgi_module); 
+ 
+    if (r->method_number == M_POST && dconf->disallowpost == 1) { 
+           return HTTP_METHOD_NOT_ALLOWED; 
+    } 
+ 
     argv0 = apr_filename_of_pathname(r->filename); 
     nph = !(strncmp(argv0, "nph-", 4)); 
     conf = ap_get_module_config(r->server->module_config, &cgi_module); 
@@ -1245,7 +1287,7 @@ 
 module AP_MODULE_DECLARE_DATA cgi_module = 
 { 
     STANDARD20_MODULE_STUFF, 
-    NULL,                        /* dir config creater */ 
+    create_dir_config,           /* dir config creater */ 
     NULL,                        /* dir merger --- default is to override */ 
     create_cgi_config,           /* server config */ 
     merge_cgi_config,            /* merge server config */

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org