From: Zach White Date: 01:57 on 14 Dec 2007 Subject: When is a POST not a POST? When it's a GET, of course! So, I don't know who is to blame, or what they were thinking, but someone on the Apache team needs to spend some quality time with Bubba and his lart. It seems that if you POST to url which maps to a file, Apache2 (on redhat and ubuntu, at least) serves that file as if you had issued a GET. Apache 1 as shipped with OpenBSD (properly) throws a 405 error. HATE, TOPPED WITH BILE, WITH A GOOD SPRINKLING OF SCORN ON TOP -Zach
From: Robert Rothenberg Date: 11:57 on 14 Dec 2007 Subject: Re: When is a POST not a POST? On 14/12/07 01:57 Zach White wrote: > When it's a GET, of course! Read the HTTP/1.1 protocol. The only difference between the two methods is that POST is intended for submitting supplementary data with it: 9.5 POST The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line.... The actual function performed by the POST method is determined by the server and is usually dependent on the Request-URI. The posted entity is subordinate to that URI in the same way that a file is subordinate to a directory containing it, a news article is subordinate to a newsgroup to which it is posted, or a record is subordinate to a database. > So, I don't know who is to blame, or what they were thinking... > It seems that if you POST to url which maps to a file, Apache2 (on redhat > and ubuntu, at least) serves that file as if you had issued a GET. > Apache 1 as shipped with OpenBSD (properly) throws a 405 error. The protocol doesn't forbid using the POST method on static content, well, because it doesn't differentiate between static files and dynamic ones as far as request methods are concerned. Your confusing the HTTP protocol with CGI. Apache2 on Red Hat and Ubuntu is is no less proper than Apache1 on OpenBSD as far as the protocol specs are concerned--- webservers have been behaving like that for a long time. What OpenBSD is doing is (from a security point of view) "good practice" in the same way that returning an error when a Perl subroutine receives extra arguments. Q: does one get errors if one passes arguments via the GET request as well? e.g. http://example.com/file.html?arg=using+get+instead+of+post Rob
Generated at 10:27 on 16 Apr 2008 by mariachi