Patches item #1578756, was opened at 2006-10-17 08:45 Message generated for change (Comment added) made by ppsys You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1578756&group_id=103 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Web UI Group: Mailman 2.1 Status: Open Resolution: None Priority: 5 Submitted By: Thijs Kinkhorst (kink) Assigned to: Nobody/Anonymous (nobody) Summary: Handle unexpected HTTP method gracefully Initial Comment: Hi! When Mailman is confronted with an unexpected HTTP method type (e.g. PROPFIND instead of GET/HEAD/POST), it crashes. The attached patch fixes that more gracefully by throwing the appropriate HTTP error. Thanks for considering. Thijs ---------------------------------------------------------------------- Comment By: Richard Barrett (ppsys) Date: 2006-10-22 17:22 Message: Logged In: YES user_id=75166 There are two issues: 1. Having Mailman's CGI scripts defend themselves against inappropriate application of WebDAV methods is good and would probably be required for RFC compliance if CGI had an RFC. The fact the fix only requires change to a single driver script to defend multiple functional scripts is a tribute to the original design. 2. Inappropriate configuration of Apache servers with respect to WebDAV is wrong. a. Many if not most legacy CGI scripts will not have been programmed to defend themselves against WebDAV methods. Fixing them on an existing system is time consuming and error prone. Fixing Apache config is easier and more reliable. b. Mailman's pipermail archives and much other served resource should also not be subject to WebDAV methods Only getting the Apache config right can deal with this. Fixing CGI scripts is good. Getting the Apache configuration correct is more important. ---------------------------------------------------------------------- Comment By: Thijs Kinkhorst (kink) Date: 2006-10-22 14:34 Message: Logged In: YES user_id=285765 Yes, that's true. However, in any case mailman should output a sensible error, I think? ---------------------------------------------------------------------- Comment By: Richard Barrett (ppsys) Date: 2006-10-22 07:35 Message: Logged In: YES user_id=75166 There is an alternative to fixing cgi scripts to cope with inappropriate WebDAV methods being applied to them, which works regardless of whether they are Mailman cgi scripts or not. Configure Apache not to apply WebDAV methods to inappropriate resources by the use of Apache directives such as DAV Off and LimitExcept GET POST. See: http://httpd.apache.org/docs/2.0/mod/mod_dav.html and http://httpd.apache.org/docs/2.0/mod/core.html#limitexcept ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1578756&group_id=103