[ mailman-Patches-1578756 ] Handle unexpected HTTP method gracefully
SourceForge.net
noreply at sourceforge.net
Sun Oct 22 19:22:56 CEST 2006
Patches item #1578756, was opened at 2006-10-17 08:45
Message generated for change (Comment added) made by ppsys
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1578756&group_id=103
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Web UI
Group: Mailman 2.1
Status: Open
Resolution: None
Priority: 5
Submitted By: Thijs Kinkhorst (kink)
Assigned to: Nobody/Anonymous (nobody)
Summary: Handle unexpected HTTP method gracefully
Initial Comment:
Hi!
When Mailman is confronted with an unexpected HTTP
method type (e.g. PROPFIND instead of GET/HEAD/POST),
it crashes. The attached patch fixes that more
gracefully by throwing the appropriate HTTP error.
Thanks for considering.
Thijs
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2006-10-22 17:22
Message:
Logged In: YES
user_id=75166
There are two issues:
1. Having Mailman's CGI scripts defend themselves against
inappropriate application of WebDAV methods is good and would
probably be required for RFC compliance if CGI had an RFC. The
fact the fix only requires change to a single driver script
to defend multiple functional scripts is a tribute to the
original design.
2. Inappropriate configuration of Apache servers with respect
to WebDAV is wrong.
a. Many if not most legacy CGI scripts will not have been
programmed to defend themselves against WebDAV methods.
Fixing them on an existing system is time consuming and
error prone. Fixing Apache config is easier and more
reliable.
b. Mailman's pipermail archives and much other served
resource should also not be subject to WebDAV methods
Only getting the Apache config right can deal with this.
Fixing CGI scripts is good. Getting the Apache configuration
correct is more important.
----------------------------------------------------------------------
Comment By: Thijs Kinkhorst (kink)
Date: 2006-10-22 14:34
Message:
Logged In: YES
user_id=285765
Yes, that's true. However, in any case mailman should output
a sensible error, I think?
----------------------------------------------------------------------
Comment By: Richard Barrett (ppsys)
Date: 2006-10-22 07:35
Message:
Logged In: YES
user_id=75166
There is an alternative to fixing cgi scripts to cope with inappropriate
WebDAV methods being applied to them, which works regardless of whether
they are Mailman cgi scripts or not.
Configure Apache not to apply WebDAV methods to inappropriate resources
by the use of Apache directives such as DAV Off and LimitExcept GET POST.
See:
http://httpd.apache.org/docs/2.0/mod/mod_dav.html
and
http://httpd.apache.org/docs/2.0/mod/core.html#limitexcept
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=300103&aid=1578756&group_id=103
More information about the Mailman-coders
mailing list