After setting up a "sensible" access.conf:
# The DocumentRoot is assumed to be under our control
<Directory /dc/ud/www/documentroot>
AllowOverride FileInfo AuthConfig Limit
Options Indexes FollowSymLinks IncludesNoExec
<Limit GET>
order allow,deny
allow from all
</Limit>
<Limit POST PUT DELETE LINK UNLINK>
order deny,allow
deny from all
</Limit>
</Directory>
Apache 0.8.10x complains about the " LINK UNLINK". Why?
The relevant code is in http_core.c:
while(limited_methods[0]) {
char *method = getword_conf (cmd->pool, &limited_methods);
if(!strcasecmp(method,"GET")) limited |= (1 << M_GET);
else if(!strcasecmp(method,"PUT")) limited |= (1 << M_PUT);
else if(!strcasecmp(method,"POST")) limited |= (1 << M_POST);
else if(!strcasecmp(method,"DELETE")) limited |= (1 << M_DELETE);
else return "unknown method in <Limit>";
}
Wouldn't the "principle of least astonishment" be to ignore any
methods not implemented in the server, or (better) make the set
of allowed methods completely configurable?
Hmmm...what is the default for methods that have no Limit?
It isn't specified in the documentation.
From looking at check_dir_access() in mod_access.c, I'm going to
guess it is
<Limit GET POST PUT DELETE>
order deny,allow
deny from all
</Limit>
It would also be nice to explain why HEAD is never Limit'd.
.....Roy
# The DocumentRoot is assumed to be under our control
<Directory /dc/ud/www/documentroot>
AllowOverride FileInfo AuthConfig Limit
Options Indexes FollowSymLinks IncludesNoExec
<Limit GET>
order allow,deny
allow from all
</Limit>
<Limit POST PUT DELETE LINK UNLINK>
order deny,allow
deny from all
</Limit>
</Directory>
Apache 0.8.10x complains about the " LINK UNLINK". Why?
The relevant code is in http_core.c:
while(limited_methods[0]) {
char *method = getword_conf (cmd->pool, &limited_methods);
if(!strcasecmp(method,"GET")) limited |= (1 << M_GET);
else if(!strcasecmp(method,"PUT")) limited |= (1 << M_PUT);
else if(!strcasecmp(method,"POST")) limited |= (1 << M_POST);
else if(!strcasecmp(method,"DELETE")) limited |= (1 << M_DELETE);
else return "unknown method in <Limit>";
}
Wouldn't the "principle of least astonishment" be to ignore any
methods not implemented in the server, or (better) make the set
of allowed methods completely configurable?
Hmmm...what is the default for methods that have no Limit?
It isn't specified in the documentation.
From looking at check_dir_access() in mod_access.c, I'm going to
guess it is
<Limit GET POST PUT DELETE>
order deny,allow
deny from all
</Limit>
It would also be nice to explain why HEAD is never Limit'd.
.....Roy