Gordon Messmer, On Thursday January 23, 2003 10:50, Gordon Messmer wrote: > On Thu, 2003-01-23 at 18:47, Brian Ashe wrote: > > Actually, it is. It depends on what your index file type is. > > I can produce that behavior if I make my server's default virtual host's > index a php file, but not otherwise. That's sorta unexpected. Who > defines this behavior? Is it an effect of mod_php that php files > "support" CONNECT?
AFAIK, that's correct. Apache passes everything over to the "handlers" when it isn't supposed to do it itself. So since it knows it is the handler for HTML, it sets the methods it accepts for it. If mod_proxy is installed/configured then it should grab all the CONNECT requests. But since Apache sees the PHP file, it just passes the request in whole over to PHP and lets PHP sort it out. PHP accepts all methods (even ones that don't exist) and ignores the ones it can't use. For example... [brian@hell brian]$ telnet www.dee-web.com 80 Trying 206.105.178.65... Connected to www.dee-web.com. Escape character is '^]'. FOO / HTTP/1.0 HTTP/1.1 200 OK Date: Fri, 24 Jan 2003 04:45:06 GMT Server: Apache X-Powered-By: PHP/4.1.2 Connection: close Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <snipped rest of page> Is this bad or good? I'm not in a position to say. I guess I'll say it's bad when someone rips a gaping hole through it. I also believe that there are other apache modules that exhibit similar behaviour. Though I have to admit that arbitrary methods is a little disturbing. > > However, if you use (for example) PHP and have index.php as the default > > page, it will accept the unusual method (if not prevented by "Limit" > > directives) but wind up processing it as a "GET /" in the end. This is > > because, it will be just like when a user doesn't put a trailing slash in > > the location bar, Apache will automatically redirect it to /. > > I wouldn't go so far as to say that it's "just like" when a user forgets > the trailing slash. When that happens, apache explicitly tells the > browser to try again: > In fact, I don't see the parallel between the two behaviors at all... Well, the parallel is that the request of (as referred to by the previous logs regarding the proxy abuse check)... CONNECT www.host.name:25 HTTP/1.0 contains no path information so Apache does the redirect. (Yes, I probably shouldn't have used an analogy, they do always seem to go wrong somewhere.) -- Brian Ashe CTO Dee-Web Software Services, LLC. [EMAIL PROTECTED] http://www.dee-web.com/ -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
