Bug 52539

Summary: Apache mod_dav 400 Bad Request for non-existent collection resource
Product: Apache httpd-2 Reporter: Garret Wilson <garret>
Component: mod_davAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED LATER    
Severity: normal Keywords: MassUpdate
Priority: P2    
Version: 2.2.11   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Garret Wilson 2012-01-26 16:56:30 UTC 
Apache seems to be sending back a 400 Bad Request for a simple non-existing collection resource.

I have a resource `/test/junit/test.bin`. I want to check if the collection `/test/junit/test.bin/` exists (i.e. a collection of the same name)---according to RFC 2518, a collection (with a slash) and a non-collection are distinct. When I issue a `PROPFIND` on `/test/junit/test.bin/`, Apache responds with a 400 Bad Request.

Now, I understand that many people and implementation have blurred the lines between collections and non-collections---that is, whether a collection has to have an ending slash. But whatever the case, the collection `/test/junit/test.bin/` does not exist---issuing a `PROPFIND` on a collection that does not exist is not a "bad request". Shouldn't Apache simply issue a standard 404 Not Found or 410 Gone? What was "bad" about my request?

	PROPFIND /test/junit/test.bin/ HTTP/1.1
	depth: 1
	content-length: 102
	authorization: BASIC XXXXX
	host: example.com

	<?xml version="1.0" encoding="UTF-8"?>
	<D:propfind xmlns:D="DAV:">
		<D:allprop />
	</D:propfind>

	HTTP/1.1 400 Bad Request
	Date: Mon, 23 Jan 2012 15:30:37 GMT
	Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k DAV/2 SVN/1.7.2 mod_jk/1.2.28
	Content-Length: 226
	Connection: close
	Content-Type: text/html; charset=iso-8859-1

	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
	<html><head>
	<title>400 Bad Request</title>
	</head><body>
	<h1>Bad Request</h1>
	<p>Your browser sent a request that this server could not understand.<br />
	</p>
	</body></html>


Here's what Apache puts in the logs:

	[Mon Jan 23 14:31:09 2012] [error] [client XX.XXX.XX.XXX] Could not fetch resource information.  [400, #0]
	[Mon Jan 23 14:31:09 2012] [error] [client XX.XXX.XX.XXX] (20)Not a directory: The URL contains extraneous path components. The resource could not be identified.  [400, #0]

Yes, I understand that a resource of the same name (without the ending slash) exists and I'm asking for properties of a collection (with the slash). So yes, we can predict when Apache will return 400. But I do not believe that 400 Bad Request is a correct response, and I can find nothing in RFC 2518 to justify 400 Bad Request. I made a perfectly valid request for a collection resource that did not exist, so in my opinion Apache should send back a 404 Not Found indicating that this collection resource does not exist.

There was nothing "bad" about my request. So Apache found another resource (`/test/junit/test.bin`) that exists. So what? I wasn't asking about that resource. I was asking about `/test/junit/test.bin/`. The answer is (or should be) that it doesn't exist---not that I made a bad request.

See http://stackoverflow.com/questions/8976331/apache-mod-dav-400-bad-request-for-non-existent-collection-resource .
Comment 1 William A. Rowe Jr. 2018-11-07 21:09:03 UTC 
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.