Mailing List Archive

On Tue, 8 Aug 1995, Andrew Wilson wrote:
> Anyway, to reiterate. Some .htaccess files that are fine for Apache 0.6.5 will
> break under 0.8.8 (and presumable 0.8.9). Does this point warrant a notice
> in the known bugs list - even if it's really 0.6.5 that is in error!!

I just added a page on compatibility notes to the web site -
http://www.apache.org/docs/compat_notes.html
It's linked to from the home page, the "new with 08" page, and the
documentation page.

Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com brian@hyperreal.com http://www.[hyperreal,organic].com/

This is weird --- with NCSA 1.3R, it was a very frequently reported bug
that <Limit GET> would *not* limit POSTs --- but that was generally
reported in conjunction with allow and deny directives. Is it possible
that the difference here is that authentication is involved?

rst

Brian:
> I just added a page on compatibility notes to the web site -
> http://www.apache.org/docs/compat_notes.html
> It's linked to from the home page, the "new with 08" page, and the
> documentation page.

Ah, I took a look and the wording was a bit confusing for me. Slap me if
I'm r0ng but I thought that the default bahaviour was to DISALLOW all
methods [GET, POST, whatever] and to only allow, or even consider, those
methods which are mentioned inside a <limit ...> directive. That's why
all NCSA clone access.conf's have the basic structure:

<Directory /usr/local/etc/httpd/htdocs>
Options Indexes FollowSymLinks
AllowOverride All
<Limit GET>
order allow,deny
allow from all
</Limit>
</Directory>

Meaning that under most out-of-the-box configurations the GET method is
permitted everywhere.

The wording as is on the compatibility notes page read:

2.<Limit> sillyness - in the old Apache 0.6.5, a directive of
<Limit GET> would also restrict POST methods - Apache 0.8.8's new core
is correct in not presuming a limit on a GET is the same limit on a
POST, so if you are relying on that behavior you need to change your
access configurations to reflect that.

Which suggests to me that <limit>'ations only apply to those methods
mentioned explicitlyand that anything not mentioned can get through. Which
is not the same thing, I believe, as the intent of NCSA's original design.
Perhaps a less confusing (for me) wording might be:

2. <Limit> sillyness - in the old Apache 0.6.5, a directive of
<Limit GET> would allow POST methods to be executed. The default
for POSTs under this directive should be to prevent POSTs from being
honoured. Apache 0.8.8's new core is correct in presuming that any
method not mentioned explicitly in a <Limit ...> directive is to
be disabled. So if you are relying on that behaviour you need to
change your access configurations to reflect that.

Specifically you may need to add the POST method to your <Limit ...>
directives if you notice that people are no-longer able to POST to
your scripts.

Or words to that effect.

Alternatively, I might be just plain r0ng. Trust me, it happens. ;)

Ay.


> Brian
>
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> brian@organic.com brian@hyperreal.com http://www.[hyperreal,organic].com/
>
>

Brian:
> I just added a page on compatibility notes to the web site -
> http://www.apache.org/docs/compat_notes.html
> It's linked to from the home page, the "new with 08" page, and the
> documentation page.

Ah, I took a look and the wording was a bit confusing for me. Slap me if
I'm r0ng but I thought that the default bahaviour was to DISALLOW all
methods [GET, POST, whatever] and to only allow, or even consider, those
methods which are mentioned inside a <limit ...> directive. That's why
all NCSA clone access.conf's have the basic structure:

<Directory /usr/local/etc/httpd/htdocs>
Options Indexes FollowSymLinks
AllowOverride All
<Limit GET>
order allow,deny
allow from all
</Limit>
</Directory>

Meaning that under most out-of-the-box configurations the GET method is
permitted everywhere.

The wording as is on the compatibility notes page read:

2.<Limit> sillyness - in the old Apache 0.6.5, a directive of
<Limit GET> would also restrict POST methods - Apache 0.8.8's new core
is correct in not presuming a limit on a GET is the same limit on a
POST, so if you are relying on that behavior you need to change your
access configurations to reflect that.

Which suggests to me that <limit>'ations only apply to those methods
mentioned explicitlyand that anything not mentioned can get through. Which
is not the same thing, I believe, as the intent of NCSA's original design.
Perhaps a less confusing (for me) wording might be:

2. <Limit> sillyness - in the old Apache 0.6.5, a directive of
<Limit GET> would allow POST methods to be executed. The default
for POSTs under this directive should be to prevent POSTs from being
honoured. Apache 0.8.8's new core is correct in presuming that any
method not mentioned explicitly in a <Limit ...> directive is to
be disabled. So if you are relying on that behaviour you need to
change your access configurations to reflect that.

Specifically you may need to add the POST method to your <Limit ...>
directives if you notice that people are no-longer able to POST to
your scripts.

Or words to that effect.

Alternatively, I might be just plain r0ng. Trust me, it happens. ;)

Ay.


> Brian
>
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> brian@organic.com brian@hyperreal.com http://www.[hyperreal,organic].com/
>
>



----- End Included Message -----

Ahhh sheet,

all of this from me was just completely bogus. I tried my ideas
out on an NCSA 1.3R and it behaves just like 0.6.5 did! And 0.8.8
doesn't behave like 1.3R does in the same environment. 0.8.8 *needs*
<Limit POST> and 1.3R, 0.6.5 and my momma don't give a damn.

Go figure.

Andrew Wilson URL: http://www.cm.cf.ac.uk/User/Andrew.Wilson/
Elsevier Science, Oxford Office: +44 01865 843155 Mobile: +44 0589 616144





----- Begin Included Message -----

The .htaccess file below should allow "post" but not "get"s.
All the methods must be explicitly listed in the limit directive
to be limited. I don't think the NCSA server has limited "post"s
without them being specifically listed in the limit directive
recently (1.3 or later).

Elizabeth(Beth) Frank
NCSA Server Development Team
efrank@ncsa.uiuc.edu

>
> ---
> AuthUserFile /home/www/htdocs/.htpasswd
> AuthGroupfile /dev/null
> AuthName ByPassword
> AuthType Basic
>
> <limit GET>
> require user TIS
> </limit>
> ---
>
> allowed people to POST to scripts that it was protecting. While under 0.8.8
> we get the 'correct' behaviour of not allowing POSTs to scripts. A long-running
> application's .htaccess had to be changed to:
>
> Andrew Wilson URL: http://www.cm.cf.ac.uk/User/Andrew.Wilson/
> Elsevier Science, Oxford Office: +44 01865 843155 Mobile: +44 0589 616144
>