Possible risk with Mandatory

From: by way of Henrik Frystyk Nielsen (francis@netscape.com)
Date: Thu, Jul 02 1998


Message-Id: <3.0.5.32.19980702043558.00b89be0@localhost>
Date: Thu, 02 Jul 1998 04:35:58 -0400
To: ietf-http-ext@w3.org
From: John Stracke <francis@netscape.com> (by way of Henrik Frystyk Nielsen <frystyk@w3.org>)
Subject: Possible risk with Mandatory

Excuse me if this has already been pointed out, but there is
at least one Web server (Apache) which, at least sometimes,
implements CGI in such a way that *all* HTTP methods get
passed to the CGI script, even if the server doesn't know
them.  Many CGI scripts will probably just ignore the
REQUEST_METHOD variable, meaning that M-GET, or M-PUT, or
J-RANDOM-METHOD, will be treated just like GET.

I don't think this is even a violation of RFC-2068, which
reads:

> Servers SHOULD return the status code 405 (Method Not
> Allowed) if the method is known by the server but not
> allowed for the requested resource, and 501 (Not
> Implemented) if the method is unrecognized or not
> implemented by the server.

Note that I'm not on the list or anything; I thought of this
when we were considering using Mandatory in WebDAV, and
thought I'd pass it along.

--
/====================================================================\
|John (Francis) Stracke    |My opinions are my own.|S/MIME supported |
|Software Retrophrenologist|=========================================|
|Netscape Comm. Corp.      | Cogito ergo Spud.  (I think, therefore  |
|francis@netscape.com      |  I yam.)                                |
\====================================================================/
New area code for work number: 650