On March 28, 2011 23:22 , "Liu JinGang" <li...@cn.fujitsu.com> wrote:
Apache doesn't know what methods your CGI understands, so it doesn't
discriminate.
Thanks!
As you say, I can get the result that:
CGI is executable by the method of no existence.
And then do you have the document or web-link file explain this viewpoint? (I
don't find it, but I need to show it to the customer.)
RFC 2616 defines the HTTP 1.1 protocol. Section 5.1.1 says that web
browsers or web servers are allowed to invent new methods
("extension-method"). The document is http://www.ietf.org/rfc/rfc2616.txt
As Eric said, Apache lets your CGI decide what to do with extension
method. But if you do not want your CGI to decide, then you can use the
Limit and LimitExcept directives to tell Apache to only allow certain
methods.
Here is an example for restricting CGI to only GET, HEAD, POST, and
OPTIONS methods. (Notes: Allowing GET automatically allows HEAD.
Also, you still need "TraceEnable Off" because Limit and LimitExcept do
not affect TRACE.)
TraceEnable Off
<Directory "/opt/web/htroot">
Options FollowSymLinks ExecCGI
AllowOverride all
order allow,deny
<Limit GET POST OPTIONS>
allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
deny from all
</LimitExcept>
</Directory>
For more information about Limit and LimitExcept directives, see:
http://httpd.apache.org/docs/2.2/mod/core.html#limit
http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
