You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/07/12 20:47:29 UTC

DO NOT REPLY [Bug 40030] New: - mod_dav documentation could be improved

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40030>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40030

           Summary: mod_dav documentation could be improved
           Product: Apache httpd-2
           Version: 2.2.2
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: trivial
          Priority: P2
         Component: Documentation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: darryl@darrylmiles.org


The documentaiton page at http://httpd.apache.org/docs/2.2/mod/mod_dav.html

Has:

<LimitExcept GET OPTIONS>
  require user admin
</LimitExcept>


This example does not seem the best general purpose case since it omits the HEAD
and POST options, which would allow to standard URL access to occur but
correctly limit methods employed by DAV.

<LimitExcept GET HEAD OPTIONS POST>
  require user admin
</LimitExcept>

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 40030] - mod_dav documentation could be improved (to )

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40030>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40030





------- Additional Comments From darryl@darrylmiles.org  2006-07-24 13:10 -------
Understood your objections noted.

How abouts adding a comment line above the LimitExcept clause:

...
# HEAD not required explicitly, GET implies HEAD
<LimitExcept GET OPTIONS POST>
...

That would make things very clear and keep us both happy.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 40030] - mod_dav documentation could be improved

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40030>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40030





------- Additional Comments From slive@apache.org  2006-07-22 03:58 -------
As the <Limit> directive doc says, HEAD is implied by GET.

I'm neutral about POST.  Being more restrictive in the examples is usually
better than less restrictive.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 40030] - mod_dav documentation could be improved (to )

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40030>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40030


slive@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From slive@apache.org  2006-08-22 17:06 -------
I've added POST to the trunk version of the docs.  It is unlikely to get
backported, so it won't be seen in a release for a while.  Thanks for your
suggestion.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 40030] - mod_dav documentation could be improved (to )

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40030>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40030


darryl@darrylmiles.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|mod_dav documentation could |mod_dav documentation could
                   |be improved                 |be improved (to <LimitExcept
                   |                            |...>)




------- Additional Comments From darryl@darrylmiles.org  2006-07-22 09:58 -------
If I may clarify my thoughts.

Someone adding DAV to their website wants to restricts the additional DAV
operations but retain the existing web-application operations, so their
web-application continues to work like it did before.

If they wanted to restrict the POST operation they would already have configured
a rule for that outside of the additional configuration required for DAV.


Are you saying that DAV utilizes the POST method for any operation and in doing
so that optation may modify data or expose extra data to an anonymous website
user; that the anonymous website user wouldn't be able to have done otherwise.

So summarize that question "Can a privilege escalation via the POST method occur
for an anonymous website user ?"

When I audited the example configuration changes myself by researching into the
commands I was adding this exact concern immediatly came to mind.  After 5 mins
looking over the code for what DAV does via the POST method I could not see any
active component.

I'm trying to spare someone else less technical than me this headache that the
suggestion of <LimitExcept GET OPTIONS> implies, in that DAV maybe unsafe for
any website utilizing the POST method for its everyday operations so we dont
recommend <LimitExcept GET OPTIONS POST>.


Point taken on the HEAD issue but again <LimitExcept GET HEAD OPTIONS POST> is
much clearer to understand than <LimitExcept GET OPTIONS POST>, it means I dont
have the headache of finding out why HEAD wasn't included.  If they are equal
and one way is clearer than the other, use the clearer way in the documentation.

Is your neurtal stance due to being unsure of the effects of DAV+POST ?  Maybe a
DAV guru will notice this and contribute their wizdom.  I'm now thinking if
there are side effects these should be documented.  Either way I'm just trying
to remove the concern that a potential user may get after reading the current
documentation.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 40030] - mod_dav documentation could be improved (to )

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40030>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40030





------- Additional Comments From slive@apache.org  2006-07-23 18:39 -------
I don't have any objection to adding POST.  In general, people should only open
up the methods they use, which frequently will not include POST.  But I agree
with you that in the context of DAV, it may make sense to address the methods
that are not affected by "Dav On".

I would certainly object to adding HEAD.  It would lead to people thinking they
could restrict HEAD and GET independently, resulting in more confusion, not
less.   In fact, the server should probably issue a warning if HEAD is present
in a <Limit(except)>. 

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org