You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/07/18 18:58:56 UTC

DO NOT REPLY [Bug 35781] New: - ap_sub_req_method_uri() bypasses Limit security config

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=35781>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=35781

           Summary: ap_sub_req_method_uri() bypasses Limit security config
           Product: Apache httpd-2.0
           Version: 2.1-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: dan.kubb-apache@onautopilot.com


When using ap_sub_req_method_uri() to perform a subrequest, it skips over all stages straight to the 
Type Handler phase.  This skips over any access/authentication/authorization handlers that have been 
defined, and allows the type/response phases to be executed directly -- when in fact the client may not 
be permitted by Limit security settings.

In my particular setup, I allow GET/HEAD/POST/OPTIONS to all users; but I limit PUT/DELETE to specific 
users.  I have a piece of code that executes when a POST (that contains specific instructions) is recieved, 
that performs a subrequest on the current URI as a PUT/DELETE.   In effect, I am tunneling PUT/DELETE 
over POST, something that allows me to have a uniform interface for all clients, while still allowing 
normal behaviour for web browser clients that are limited to GET/POST method calls only.

The behaviour I expected was for the security limits I set up for PUT/DELETE to be honored, and 
disallow the request should something in the AAA stages not pass; however the use of 
ap_run_quick_handler() at the end of ap_sub_req_method_uri() bypasses all of these handlers.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org