Bug 22023 - unsafe methods vs request URIs with fragment id
Summary: unsafe methods vs request URIs with fragment id
Status: CLOSED DUPLICATE of bug 21779
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_dav (show other bugs)
Version: 2.0.46
Hardware: All other
: P3 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2003-07-31 14:41 UTC by Julian Reschke
Modified: 2004-11-16 19:05 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Julian Reschke 2003-07-31 14:41:04 UTC
Unsafe methods (such as DELETE) should reject requests where the request URI
contains a fragment identifier. Otherwise, request by broken clients such as MS
Webfolder Client version 10.145.3914.17 may cause unintentional removals of
whole collections.


- take resource "a/%23b" and DELETE it with the aforementioned client
- client submits DELETE to "a/#"
- fragment id get stripped, DELETE gets applied to the parent collection

(I'd personally prefer httpd to reject all requests with illegal request URIs,
but I'm not sure that the removal of what seems to be a workaround for broken
clients is acceptable)
Comment 1 Joshua Slive 2003-07-31 15:15:22 UTC

*** This bug has been marked as a duplicate of 21799 ***
Comment 2 Joshua Slive 2003-07-31 15:16:11 UTC
Oops, wrong bug.
Comment 3 Joshua Slive 2003-07-31 15:16:30 UTC
Correct duplicate.

*** This bug has been marked as a duplicate of 21779 ***