Bug 64785

Summary:	allowmethods should be able to disable individual methods
Product:	Apache httpd-2	Reporter:	Eric Covener <covener>
Component:	mod_allowmethods	Assignee:	Apache HTTPD Bugs Mailing List <bugs>
Status:	NEW ---
Severity:	enhancement	CC:	spiceman
Priority:	P2	Keywords:	FixedInTrunk, PatchAvailable
Version:	2.5-HEAD
Target Milestone:	---
Hardware:	All
OS:	All
Attachments:	mod_allowmethods implementation of +-METHOD options mod_allowmethods implementation of +-METHOD options mod_allowmethods tests documentation of AllowMethods +\|-Method mod_allowmethods implementation of +-METHOD options mod_allowmethods tests mod_allowmethods implementation of +-METHOD options mod_allowmethods tests

Description Eric Covener 2020-10-05 11:51:31 UTC

Currently mod_allowmethods can only allow all methods (reset) or specific methods (FOO, BAR, BAZ) but cannot simply prevent a method from being used.

It would be nice to support something like this including merge:

AllowMethods -OPTIONS

Comment 1 Marcel Montes 2020-10-05 15:09:42 UTC

I've been talking to Eric Covener that I'm willing to give this a try.
I have no background on httpd hacking so wish me luck.

For now I'm checking the source code of allowmethods and server/core.c to see how doing the same with Options was handled. 

Any pointers are welcome.

Comment 2 Marcel Montes 2020-10-07 00:37:19 UTC

Created attachment 37484 [details]
mod_allowmethods implementation of +-METHOD options

Well, I'm attaching my jab at implementing this.

There's probably some not so stellar code.

In particular I'm interested in knowing if there's a better way to get a hold
of list of available/recognized methods.

Comment 3 Marcel Montes 2020-10-07 00:44:10 UTC

Another aspect I'm not sure about is if a specific aspect of the implementation makes sense.

Previously, when conf->allowed == 0, it meant no method was flagged as allowed, so all where (it was effectively a reset/no conf)

But now, in the following case, no method would be flagged as allowed, but I'd still expect it to be enforced for /foo/bar:

<Directory /foo>
    AllowMethods GET
</Directory>
<Directory /foo/bar>
    AllowMethods -GET
</Directory>

I think that makes sense, but I'd like know other people's view on this.

Comment 4 Marcel Montes 2020-10-09 17:30:52 UTC

Created attachment 37490 [details]
mod_allowmethods implementation of +-METHOD options

Comment 5 Marcel Montes 2020-10-09 17:34:04 UTC

Created attachment 37491 [details]
mod_allowmethods tests

Patch for two simple test cases.

Comment 6 Marcel Montes 2020-10-12 09:32:06 UTC

Created attachment 37495 [details]
documentation of AllowMethods +|-Method

Comment 7 Marcel Montes 2020-10-12 18:32:31 UTC

Created attachment 37497 [details]
mod_allowmethods implementation of +-METHOD options

Comment 8 Marcel Montes 2020-10-15 01:40:43 UTC

Created attachment 37500 [details]
mod_allowmethods tests

Comment 9 Marcel Montes 2020-10-15 01:42:10 UTC

Created attachment 37501 [details]
mod_allowmethods implementation of +-METHOD options

Comment 10 Marcel Montes 2020-10-15 01:43:43 UTC

Well, got it working.

I've added some tests and everything seems to be in working order, finally.

This needs some reviewing :)

Comment 11 Eric Covener 2020-10-22 01:09:15 UTC

I think you may have forgotten to "svn add" some of the static files in t/htdocs.  Check svn status /t/htdocs/modules/allowmethods|egrep ^?

Comment 12 Marcel Montes 2020-10-22 01:40:40 UTC

Created attachment 37523 [details]
mod_allowmethods tests

Comment 13 Marcel Montes 2020-10-22 01:41:32 UTC

Yes, forgot to add t/htdocs/modules/allowmethods/NoPost for the -POST test, sorry.

New patch attached.

(In reply to Eric Covener from comment #11)
> I think you may have forgotten to "svn add" some of the static files in
> t/htdocs.  Check svn status /t/htdocs/modules/allowmethods|egrep ^?

Comment 14 Eric Covener 2020-11-08 15:28:53 UTC

Thank you Marcel! Committed in http://svn.apache.org/viewvc?rev=1883203&view=rev and will propose for 2.4.x soon.