[ mailman-Patches-1578756 ] Handle unexpected HTTP method gracefully

SourceForge.net noreply at sourceforge.net
Sun Oct 22 19:22:56 CEST 2006 

Patches item #1578756, was opened at 2006-10-17 08:45
Message generated for change (Comment added) made by ppsys
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1578756&group_id=103

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Web UI
Group: Mailman 2.1
Status: Open
Resolution: None
Priority: 5
Submitted By: Thijs Kinkhorst (kink)
Assigned to: Nobody/Anonymous (nobody)
Summary: Handle unexpected HTTP method gracefully

Initial Comment:
Hi!

When Mailman is confronted with an unexpected HTTP
method type (e.g. PROPFIND instead of GET/HEAD/POST),
it crashes. The attached patch fixes that more
gracefully by throwing the appropriate HTTP error.

Thanks for considering.
Thijs

----------------------------------------------------------------------

Comment By: Richard Barrett (ppsys)
Date: 2006-10-22 17:22

Message:
Logged In: YES 
user_id=75166

There are two issues:

1. Having Mailman's CGI scripts defend themselves against 
inappropriate application of WebDAV methods is good and would 
probably be required for RFC compliance if CGI had an RFC. The 
fact the fix only requires change to a single driver script 
to defend multiple functional scripts is a tribute to the 
original design.

2. Inappropriate configuration of Apache servers with respect
to WebDAV is wrong. 

	a. Many if not most legacy CGI scripts will not have been
	programmed to defend themselves against WebDAV methods. 
	Fixing them on an existing system is time consuming and 
	error prone. Fixing Apache config is easier and more 
	reliable.
	
	b. Mailman's pipermail archives and much other served 
	resource should also not be subject to WebDAV methods  
	Only getting the Apache config right can deal with this.

Fixing CGI scripts is good. Getting the Apache configuration  
correct is more important. 


----------------------------------------------------------------------

Comment By: Thijs Kinkhorst (kink)
Date: 2006-10-22 14:34

Message:
Logged In: YES 
user_id=285765

Yes, that's true. However, in any case mailman should output
a sensible error, I think?

----------------------------------------------------------------------

Comment By: Richard Barrett (ppsys)
Date: 2006-10-22 07:35

Message:
Logged In: YES 
user_id=75166

There is an alternative to fixing cgi scripts  to cope with inappropriate 
WebDAV methods being applied to them, which works regardless of whether 
they are Mailman cgi scripts or not.

Configure Apache not to apply WebDAV methods to inappropriate resources 
by the use of Apache directives such as DAV Off and LimitExcept GET POST. 
See:

http://httpd.apache.org/docs/2.0/mod/mod_dav.html

and

http://httpd.apache.org/docs/2.0/mod/core.html#limitexcept

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1578756&group_id=103

More information about the Mailman-coders mailing list