22023 – unsafe methods vs request URIs with fragment id

Bug 22023 - unsafe methods vs request URIs with fragment id

Summary: unsafe methods vs request URIs with fragment id

Status:	CLOSED DUPLICATE of bug 21779

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_dav (show other bugs)
Version:	2.0.46
Hardware:	All other

Importance:	P3 major (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-07-31 14:41 UTC by Julian Reschke
Modified:	2004-11-16 19:05 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julian Reschke 2003-07-31 14:41:04 UTC

Unsafe methods (such as DELETE) should reject requests where the request URI
contains a fragment identifier. Otherwise, request by broken clients such as MS
Webfolder Client version 10.145.3914.17 may cause unintentional removals of
whole collections.

Example:

- take resource "a/%23b" and DELETE it with the aforementioned client
- client submits DELETE to "a/#"
- fragment id get stripped, DELETE gets applied to the parent collection

(I'd personally prefer httpd to reject all requests with illegal request URIs,
but I'm not sure that the removal of what seems to be a workaround for broken
clients is acceptable)

Comment 1 Joshua Slive 2003-07-31 15:15:22 UTC


*** This bug has been marked as a duplicate of 21799 ***

Comment 2 Joshua Slive 2003-07-31 15:16:11 UTC

Oops, wrong bug.

Comment 3 Joshua Slive 2003-07-31 15:16:30 UTC

Correct duplicate.

*** This bug has been marked as a duplicate of 21779 ***