PATCH DisallowPost

[Russell Miller <rm...@duskglow.com>]

(I sent this once before but I think it was bounced, so if you get it twice, 
my apologies)

A patch has been submitted to mod_cgi.c that will allow the user to disallow 
post requests in affected directories.

History and reasoning, as well as a patch, is in the report, #36368.  I will 
duplicate that part here:

We wanted to disallow the POST method, because for our purposes we wanted the 
arguments to said calls to be logged in the access log.  We considered using 
LimitExcept, but upon trying it, I saw that a 403 error was returned, and a 
search of the bug database showed that you had no plans to fix this.  I don't 
understand your reasoning on that, but anyway.  We needed a 405 error, and the 
only other way to do it was to test it in the CGI code itself, which was ugly. 
 
So, in true open source style, I hacked on mod_cgi and made a patch.  This 
creates a new config directive called DisallowPost - it's an ACCESS_CONF 
directive.  It can be either On or Off.  If it's on and you try to access a 
location protected by it with POST, you'll get a 405 method not allowed, which 
is exactly the behavior we needed. 
 
The patch line numbers will be off because I also applied the patch that fixes 
the #exec cmd problem.  However, other than that, it should apply to stock 
2.0.54. 

--Russell

-- 

Russell Miller - rmiller@duskglow.com - Agoura Hills, CA

Re: PATCH DisallowPost

[Colm MacCarthaigh <co...@stdlib.net>]

On Sat, Aug 27, 2005 at 08:41:30PM +0100, Colm MacCarthaigh wrote:
> I think we have our wires crossed, I'm mean it's a bug

My fault too, stupid missing carriage-return, hmmm, "Status:" probably
shouldn't be picked up either though.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp@stdlib.net

Re: PATCH DisallowPost

[Colm MacCarthaigh <co...@stdlib.net>]

On Sat, Aug 27, 2005 at 04:19:45PM +0100, Nick Kew wrote:
> >httpd can't predict what methods the resource will accept.
> 
> If it's rejecting a request based on <Limit(Except)>, it can infer
> a list of allowed methods from that.

I guess, but there's no knowing the the CGI itself would then accept is
what I meant. 

> >This patch doesn't seem to honour RFC2616, and doesn't add an "Allow:"
> >header to the request. It's also specific to a single method.
> >
> >However, at present I don't think mod_cgi(d) will allow an "Allow:"
> >header through from a CGI, so this probably should be fixed, for this
> >reason.
> 
> Erm, last time I looked, a CGI script could generate any HTTP headers
> it pleases.  Not to be confused with the fact that a typical CGI script
> generates less than a full HTTP response, so Apache usually has to add
> something to what CGI generates.

I think we have our wires crossed, I'm mean it's a bug, the "Allow" head
isn't being handled correctly. I know what it should do :) I went and
tested;

#!/bin/sh

echo "Allow: GET"
echo "Status: 405 Method Not Allowed"

and I get;

HTTP/1.1 405 Method Not Allowed
Date: Sat, 27 Aug 2005 19:35:41 GMT
Server: Apache/2.3.0-dev (Unix) mod_ssl/2.3.0-dev OpenSSL/0.9.7e
Content-Length: 0
Connection: close
Content-Type: text/plain

-- 
Colm MacCárthaigh                        Public Key: colm+pgp@stdlib.net

Re: PATCH DisallowPost

[Nick Kew <ni...@webthing.com>]

> But it's really the only place it can be done, from RFC2616;
> 
> 10.4.6 405 Method Not Allowed
> 
>    The method specified in the Request-Line is not allowed for the
>    resource identified by the Request-URI. The response MUST include an
>    Allow header containing a list of valid methods for the requested
>    resource.
> 
> httpd can't predict what methods the resource will accept.

If it's rejecting a request based on <Limit(Except)>, it can infer
a list of allowed methods from that.

>>So, in true open source style, I hacked on mod_cgi and made a patch.

mod_cgi is not really the appropriate place for that.  It's a matter
either for the CGI application itself, or for the core code that
implements <Limit>/<LimitExcept>.

Of course it's fine to patch it for your own use, and share your patch.
But it wouldn't be appropriate for the standard apache codebase.

> This patch doesn't seem to honour RFC2616, and doesn't add an "Allow:"
> header to the request. It's also specific to a single method.
 >
> However, at present I don't think mod_cgi(d) will allow an "Allow:"
> header through from a CGI, so this probably should be fixed, for this
> reason.

Erm, last time I looked, a CGI script could generate any HTTP headers
it pleases.  Not to be confused with the fact that a typical CGI script
generates less than a full HTTP response, so Apache usually has to add
something to what CGI generates.

-- 
Nick Kew

Re: PATCH DisallowPost

[Colm MacCarthaigh <co...@stdlib.net>]

On Fri, Aug 26, 2005 at 02:56:21PM -0700, Russell Miller wrote:
> We wanted to disallow the POST method, because for our purposes we wanted the 
> arguments to said calls to be logged in the access log.  We considered using 
> LimitExcept, but upon trying it, I saw that a 403 error was returned, and a 
> search of the bug database showed that you had no plans to fix this.  

I don't think returning 403 is a bug;

10.4.4 403 Forbidden

   The server understood the request, but is refusing to fulfill it.
   Authorization will not help and the request SHOULD NOT be repeated.

> I don't understand your reasoning on that, but anyway.  We needed a
> 405 error, and the only other way to do it was to test it in the CGI
> code itself, which was ugly. 

But it's really the only place it can be done, from RFC2616;

10.4.6 405 Method Not Allowed

   The method specified in the Request-Line is not allowed for the
   resource identified by the Request-URI. The response MUST include an
   Allow header containing a list of valid methods for the requested
   resource.

httpd can't predict what methods the resource will accept.

> So, in true open source style, I hacked on mod_cgi and made a patch.

This patch doesn't seem to honour RFC2616, and doesn't add an "Allow:"
header to the request. It's also specific to a single method.

However, at present I don't think mod_cgi(d) will allow an "Allow:"
header through from a CGI, so this probably should be fixed, for this
reason.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp@stdlib.net