Re: cvs commit: httpd-2.0/modules/mappers mod_negotiation.c

["Roy T. Fielding" <fi...@ebuilt.com>]

On Mon, Aug 06, 2001 at 10:42:59PM -0000, wrowe@apache.org wrote:
> wrowe       01/08/06 15:42:59
> 
>   Modified:    modules/mappers mod_negotiation.c
>   Log:
>     Thanks goes to Manoj, while commenting on another issue, for triggering
>     this idea.  If we find files matching (e.g. index.html.bak matches
>     index.html) but they are rejected because we don't understand them
>     (e.g. they are a directory, or .bak isn't a mod_mime recognized extension)
>     then Error 500 out of here, with a note for the system administrator
>     explaining that index.html matches some files, but their extensions
>     cannot be grokked.  No more (unintentional, or situational) autoindex :)

The idea is fine, but we should be returning 404 Not Found in this case.
500 is too generic and we don't want the client to repeat the request
thinking that it may succeed sometime soon.

....Roy

Re: cvs commit: httpd-2.0/modules/mappers mod_negotiation.c

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

I agree with you, if no files exist.  Some do, therefore the server is misconfigured, 
or the files shouldn't exist in the first place.

Please see mod_negotation.c line 818 for another example where we blow up with an
error 500 when the negotiation map file is completely empty.  If we are going to
make this consistant, there are some other errors in mod_negotiation that need
some further review.

We might have somebody else even serve one of those files, but the new rules mean
nobody else will get a chance.  That's why I feel it is a 500, but I don't have
a strong enough opinion to argue the point, so the patch is committed.

Bill

----- Original Message ----- 
From: "Roy T. Fielding" <fi...@ebuilt.com>
To: <ne...@apache.org>
Sent: Monday, August 06, 2001 6:40 PM
Subject: Re: cvs commit: httpd-2.0/modules/mappers mod_negotiation.c


> If the file with the unrecognized extension did not exist, would the
> result be a 404 or a 200?  If it would have been 200, then 500 would be
> a reasonable error response.  If it would have been 404, then 404 is the
> only reasonable response --- an admin can look at the error_log to find
> out why.
> 
> The specific example you described in the commit message should always
> result in a 404.  This is a protocol answer.
> 
> ....Roy
> 
> > I believe we want a 500, here's why...
> > 
> > A 404 error is far more likely to go 'unnoticed', although it's pretty obviously
> > a configuration error (why are we searching for indexes that are misconfigured?
> > If the admin wants to deny access, Options -Includes and leave DefaultIndex out.)
> > 
> > A 500 tell the admin, as well as the user, that we are in trouble, and something
> > needs to be fixed.  If you yell loud enough, the problem gets fixed.
> > 
> > Note this is an unusual error, but people do stumble across it.  A 404 would 
> > minimize the problem too far.
> 
> 

Re: cvs commit: httpd-2.0/modules/mappers mod_negotiation.c

["Roy T. Fielding" <fi...@ebuilt.com>]

If the file with the unrecognized extension did not exist, would the
result be a 404 or a 200?  If it would have been 200, then 500 would be
a reasonable error response.  If it would have been 404, then 404 is the
only reasonable response --- an admin can look at the error_log to find
out why.

The specific example you described in the commit message should always
result in a 404.  This is a protocol answer.

....Roy

> I believe we want a 500, here's why...
> 
> A 404 error is far more likely to go 'unnoticed', although it's pretty obviously
> a configuration error (why are we searching for indexes that are misconfigured?
> If the admin wants to deny access, Options -Includes and leave DefaultIndex out.)
> 
> A 500 tell the admin, as well as the user, that we are in trouble, and something
> needs to be fixed.  If you yell loud enough, the problem gets fixed.
> 
> Note this is an unusual error, but people do stumble across it.  A 404 would 
> minimize the problem too far.

Re: cvs commit: httpd-2.0/modules/mappers mod_negotiation.c

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

From: "Roy T. Fielding" <fi...@ebuilt.com>
Sent: Monday, August 06, 2001 6:10 PM


> On Mon, Aug 06, 2001 at 10:42:59PM -0000, wrowe@apache.org wrote:
> > wrowe       01/08/06 15:42:59
> > 
> >   Modified:    modules/mappers mod_negotiation.c
> >   Log:
> >     Thanks goes to Manoj, while commenting on another issue, for triggering
> >     this idea.  If we find files matching (e.g. index.html.bak matches
> >     index.html) but they are rejected because we don't understand them
> >     (e.g. they are a directory, or .bak isn't a mod_mime recognized extension)
> >     then Error 500 out of here, with a note for the system administrator
> >     explaining that index.html matches some files, but their extensions
> >     cannot be grokked.  No more (unintentional, or situational) autoindex :)
> 
> The idea is fine, but we should be returning 404 Not Found in this case.
> 500 is too generic and we don't want the client to repeat the request
> thinking that it may succeed sometime soon.

I believe we want a 500, here's why...

A 404 error is far more likely to go 'unnoticed', although it's pretty obviously
a configuration error (why are we searching for indexes that are misconfigured?
If the admin wants to deny access, Options -Includes and leave DefaultIndex out.)

A 500 tell the admin, as well as the user, that we are in trouble, and something
needs to be fixed.  If you yell loud enough, the problem gets fixed.

Note this is an unusual error, but people do stumble across it.  A 404 would 
minimize the problem too far.