Bug 22023

Summary: unsafe methods vs request URIs with fragment id
Product: Apache httpd-2 Reporter: Julian Reschke <julian.reschke>
Component: mod_davAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: CLOSED DUPLICATE    
Severity: major    
Priority: P3    
Version: 2.0.46   
Target Milestone: ---   
Hardware: All   
OS: other   

Description Julian Reschke 2003-07-31 14:41:04 UTC 
Unsafe methods (such as DELETE) should reject requests where the request URI
contains a fragment identifier. Otherwise, request by broken clients such as MS
Webfolder Client version 10.145.3914.17 may cause unintentional removals of
whole collections.

Example:

- take resource "a/%23b" and DELETE it with the aforementioned client
- client submits DELETE to "a/#"
- fragment id get stripped, DELETE gets applied to the parent collection

(I'd personally prefer httpd to reject all requests with illegal request URIs,
but I'm not sure that the removal of what seems to be a workaround for broken
clients is acceptable)
Comment 1 Joshua Slive 2003-07-31 15:15:22 UTC 

*** This bug has been marked as a duplicate of 21799 ***
Comment 2 Joshua Slive 2003-07-31 15:16:11 UTC 
Oops, wrong bug.
Comment 3 Joshua Slive 2003-07-31 15:16:30 UTC 
Correct duplicate.

*** This bug has been marked as a duplicate of 21779 ***