On Saturday 30 January 2010, Roy T. Fielding wrote:
> > */
> > if (!conf->provider->repos->handle_get) {
> > + if (r->finfo.filetype != APR_DIR)
> > + r->handler = "none";
> > return DECLINED;
> > }
> > }
>
> It looks to me like that would introduce a security hole for
> existing configs that expect a handler to run on GET (PHP/CGI
> scripts that are authorable via DAV). -1 if so.
The recommended setup is to map separate URLs for DAV and script
execution to the content. It has been like this since at least 2.0.
The patch intentionally breaks existing configs that rely on the
ability to use the same URLs for DAV and script execution. Is this not
an acceptable change from 2.2 to 2.4 (if properly documented), as it
makes life a lot easier for people who use the recommended setup?
