httpd-test-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <>
Subject Re: [ IBM AS/400 HTTP Server '/' attack]
Date Fri, 09 Nov 2001 20:42:57 GMT
On Fri, Nov 09, 2001 at 03:16:03PM -0500, Rodent of Unusual Size wrote:
> Rodent of Unusual Size wrote:
> > 
> > "William A. Rowe, Jr." wrote:
> > >
> > > Since the default handler doesn't glom onto trailing path_info,
> > > it doesn't get handled.  All 1.3 pages I tested _without_ SSI's
> > > enabled returned 404.
> > 
> > Irrelevant.  It is perfectly possible and acceptable to submit
> > path-info to a resource that cannot handle it (e.g., a text/plain
> > file).  If we return 404 for that, we are broken -- period.
> Nrrgh, I take that back, at least temporarily.  Objections
> currently in abeyance while I check some stuff.. :-/

Good, because I was about to slap you silly.  ;-)

One of the goals of an HTTP server is to give the server owner control
over their http namespace.  Allowing every storage component to map into
an infinite number of URI is not desirable.  It isn't even desirable for
gateways like CGI, SSI, and JSP, though it is necessary in order for those
storage components to become dynamic handlers of collection resources.
Extra path info is therefore only valid for those components for which
handlers are defined that are capable of being collections (like mod_index)
or being a potential gateway to a collection.

This would be a lot easier for the server to determine if we had some sort
of config or module rec field that indicated the handler wants path info.
The default handler definitely does not want path info.


View raw message