On March 28, 2011 23:22 , "Liu JinGang" <liujg@xxxxxxxxxxxxxx> wrote:
Apache doesn't know what methods your CGI understands, so it doesn't discriminate.Thanks! As you say, I can get the result that: CGI is executable by the method of no existence. And then do you have the document or web-link file explain this viewpoint? (I don't find it, but I need to show it to the customer.)
RFC 2616 defines the HTTP 1.1 protocol. Section 5.1.1 says that web browsers or web servers are allowed to invent new methods ("extension-method"). The document is http://www.ietf.org/rfc/rfc2616.txt
As Eric said, Apache lets your CGI decide what to do with extension method. But if you do not want your CGI to decide, then you can use the Limit and LimitExcept directives to tell Apache to only allow certain methods.
Here is an example for restricting CGI to only GET, HEAD, POST, and OPTIONS methods. (Notes: Allowing GET automatically allows HEAD. Also, you still need "TraceEnable Off" because Limit and LimitExcept do not affect TRACE.)
TraceEnable Off <Directory "/opt/web/htroot"> Options FollowSymLinks ExecCGI AllowOverride all order allow,deny <Limit GET POST OPTIONS> allow from all </Limit> <LimitExcept GET POST OPTIONS> deny from all </LimitExcept> </Directory> For more information about Limit and LimitExcept directives, see: http://httpd.apache.org/docs/2.2/mod/core.html#limit http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept -- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx