ID: 32561 Updated by: [EMAIL PROTECTED] Reported By: mnot at pobox dot com -Status: Analyzed +Status: Assigned Bug Type: Apache related Operating System: * PHP Version: 5.*, 4.* -Assigned To: +Assigned To: rasmus New Comment:
Assigned to Rasmus who should know what to do with this bug. Previous Comments: ------------------------------------------------------------------------ [2005-04-24 00:00:26] [EMAIL PROTECTED] This was added in PHP 3, by Rasmus with this commit msg: "AAPI cleanup - Set rqst->allowed correctly and deny OPTIONS requests" ------------------------------------------------------------------------ [2005-04-04 18:41:12] mnot at pobox dot com By doing that, it's saying that it would handle those methods in the future. If it won't, it shouldn't set that. The downline handler *shouldn't* blow away r->allowed and put its own values in; this would remove any information from other handlers. E.g., if mod_cgi did this, mod_dav couldn't advertise the methods that it would catch. ------------------------------------------------------------------------ [2005-04-04 07:25:19] [EMAIL PROTECTED] Actually, it resets the r->allowed to all the methods when it declines to handle the request for the next handler in the chain. It probably doesn't need to do this, but it isn't unique to the xbithack handler. Whatever finally accepts to handle the request should be setting r->allowed accordingly. ------------------------------------------------------------------------ [2005-04-04 05:19:18] mnot at pobox dot com Description: ------------ When using the Apache module, PHP installs the xbithack handler for text/html. This handler make the following change to r->allowed, which is what Apache uses to populate the Allowed header on responses that require it (e.g., to OPTIONS, 405 Method Not Allowed, 501 Not Implemented); r->allowed |= (1 << METHODS) - 1; This has the affect of adding *all* known HTTP methods to the list. Effectively, PHP is telling clients that it can handle all HTTP methods, even for resources that aren't actually parsed as PHP. This is also the case in php5. Reproduce code: --------------- mnot-laptop:~> telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. OPTIONS /index.html HTTP/1.1 Host: localhost Expected result: ---------------- HTTP/1.1 200 OK Date: Mon, 04 Apr 2005 03:12:29 GMT Server: Apache/1.3.33 (Darwin) PHP/4.3.10 Cache-Control: max-age=3600 Expires: Mon, 04 Apr 2005 04:12:29 GMT Content-Length: 0 Allow: GET, HEAD, OPTIONS, TRACE Actual result: -------------- HTTP/1.1 200 OK Date: Mon, 04 Apr 2005 03:12:29 GMT Server: Apache/1.3.33 (Darwin) PHP/4.3.10 Cache-Control: max-age=3600 Expires: Mon, 04 Apr 2005 04:12:29 GMT Content-Length: 0 Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=32561&edit=1