On 11/08/2012 11:42 AM, Daniel Shahaf wrote: > Thomas Åkesson wrote on Thu, Nov 08, 2012 at 15:15:03 +0100: >> >> On 5 nov 2012, at 09:11, Branko Čibej wrote: >> >>> On 05.11.2012 00:21, Thomas Åkesson wrote: >>>> I did some tests with curl --head just as a sanity check. It seems >>>> to be a good choice for access control. I primarily wanted to see >>>> that HEAD requests were not allowed in situations where GET is not >>>> (e.g. when user has access in directories below). >>>> >>>> The HEAD requests I performed (minimal curl command) did not cause >>>> the server to provide Content-Length when returning "200 OK". >>> >>> Which is precisely what I was talking about in my other post. Such >>> HEAD responses are invalid. If we implement HEAD, we have to do it >>> correctly. >> >> Right, I was just confirming that. >> >> I think this is approaching off-topic for this thread. The server >> (mod_dav_svn) currently does respond to HEAD requests without >> Content-Length, which appears to be invalid. Perhaps a separate >> issue/thread should discuss whether the HEAD response should be changed >> to conform with the specification. >> > > We could also add Content-Length if it's not required but cheap to > compute. (svn_fs_file_length())
To date, I find myself unable through code inspection to see where "we" do anything about HEAD requests. mod_dav itself doesn't explicitly handle that request, so I'm wondering ... does Apache just handle a HEAD as a GET under-the-hood and then discard the resulting response body? The comment above the #defines for request types in httpd.h leads me to believe this is likely: [...] * These constants are used in bit shifting masks of size int, so it is * unsafe to have more methods than bits in an int. HEAD == M_GET. [...] -- C. Michael Pilato <cmpil...@collab.net> CollabNet <> www.collab.net <> Enterprise Cloud Development
signature.asc
Description: OpenPGP digital signature