Bug 64785 - allowmethods should be able to disable individual methods
Summary: allowmethods should be able to disable individual methods
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_allowmethods (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Blocks:
 
Reported: 2020-10-05 11:51 UTC by Eric Covener
Modified: 2020-11-08 15:28 UTC (History)
1 user (show)



Attachments
mod_allowmethods implementation of +-METHOD options (4.93 KB, patch)
2020-10-07 00:37 UTC, Marcel Montes
Details | Diff
mod_allowmethods implementation of +-METHOD options (5.52 KB, patch)
2020-10-09 17:30 UTC, Marcel Montes
Details | Diff
mod_allowmethods tests (1.35 KB, patch)
2020-10-09 17:34 UTC, Marcel Montes
Details | Diff
documentation of AllowMethods +|-Method (2.09 KB, patch)
2020-10-12 09:32 UTC, Marcel Montes
Details | Diff
mod_allowmethods implementation of +-METHOD options (5.11 KB, patch)
2020-10-12 18:32 UTC, Marcel Montes
Details | Diff
mod_allowmethods tests (2.61 KB, patch)
2020-10-15 01:40 UTC, Marcel Montes
Details | Diff
mod_allowmethods implementation of +-METHOD options (5.10 KB, patch)
2020-10-15 01:42 UTC, Marcel Montes
Details | Diff
mod_allowmethods tests (2.73 KB, patch)
2020-10-22 01:40 UTC, Marcel Montes
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Covener 2020-10-05 11:51:31 UTC
Currently mod_allowmethods can only allow all methods (reset) or specific methods (FOO, BAR, BAZ) but cannot simply prevent a method from being used.

It would be nice to support something like this including merge:

AllowMethods -OPTIONS
Comment 1 Marcel Montes 2020-10-05 15:09:42 UTC
I've been talking to Eric Covener that I'm willing to give this a try.
I have no background on httpd hacking so wish me luck.

For now I'm checking the source code of allowmethods and server/core.c to see how doing the same with Options was handled. 

Any pointers are welcome.
Comment 2 Marcel Montes 2020-10-07 00:37:19 UTC
Created attachment 37484 [details]
mod_allowmethods implementation of +-METHOD options

Well, I'm attaching my jab at implementing this.

There's probably some not so stellar code.

In particular I'm interested in knowing if there's a better way to get a hold
of list of available/recognized methods.
Comment 3 Marcel Montes 2020-10-07 00:44:10 UTC
Another aspect I'm not sure about is if a specific aspect of the implementation makes sense.

Previously, when conf->allowed == 0, it meant no method was flagged as allowed, so all where (it was effectively a reset/no conf)

But now, in the following case, no method would be flagged as allowed, but I'd still expect it to be enforced for /foo/bar:

<Directory /foo>
    AllowMethods GET
</Directory>
<Directory /foo/bar>
    AllowMethods -GET
</Directory>

I think that makes sense, but I'd like know other people's view on this.
Comment 4 Marcel Montes 2020-10-09 17:30:52 UTC
Created attachment 37490 [details]
mod_allowmethods implementation of +-METHOD options
Comment 5 Marcel Montes 2020-10-09 17:34:04 UTC
Created attachment 37491 [details]
mod_allowmethods tests

Patch for two simple test cases.
Comment 6 Marcel Montes 2020-10-12 09:32:06 UTC
Created attachment 37495 [details]
documentation of AllowMethods +|-Method
Comment 7 Marcel Montes 2020-10-12 18:32:31 UTC
Created attachment 37497 [details]
mod_allowmethods implementation of +-METHOD options
Comment 8 Marcel Montes 2020-10-15 01:40:43 UTC
Created attachment 37500 [details]
mod_allowmethods tests
Comment 9 Marcel Montes 2020-10-15 01:42:10 UTC
Created attachment 37501 [details]
mod_allowmethods implementation of +-METHOD options
Comment 10 Marcel Montes 2020-10-15 01:43:43 UTC
Well, got it working.

I've added some tests and everything seems to be in working order, finally.

This needs some reviewing :)
Comment 11 Eric Covener 2020-10-22 01:09:15 UTC
I think you may have forgotten to "svn add" some of the static files in t/htdocs.  Check svn status /t/htdocs/modules/allowmethods|egrep ^?
Comment 12 Marcel Montes 2020-10-22 01:40:40 UTC
Created attachment 37523 [details]
mod_allowmethods tests
Comment 13 Marcel Montes 2020-10-22 01:41:32 UTC
Yes, forgot to add t/htdocs/modules/allowmethods/NoPost for the -POST test, sorry.

New patch attached.

(In reply to Eric Covener from comment #11)
> I think you may have forgotten to "svn add" some of the static files in
> t/htdocs.  Check svn status /t/htdocs/modules/allowmethods|egrep ^?
Comment 14 Eric Covener 2020-11-08 15:28:53 UTC
Thank you Marcel! Committed in http://svn.apache.org/viewvc?rev=1883203&view=rev and will propose for 2.4.x soon.