[SOLVED] PUT DELETE enabled by default?

[frist44]

I have read that these methods aren't enabled unless you load mod_dav, is this true?

 

We have a simple web server hosting up PHP, and just want to make sure those commands can not be run.

 

thanks.

[rhodesa]

in my apache config, i have the following, which i copied from somewhere and should work

 

        #   Deny PUT/DELETE Requests
        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE)
        RewriteRule .* - [F]

[corbin]

If I remember correctly, PUT as defined by the HTTP protocol works like this:

 

 

PUT /path/to/somewhere HTTP/1.1

 

 

And then /path/to/somewhere would be the CGI script that handles the PUTting.

 

 

 

And, Apache does not handle the DELETE header in its core.  As far as I know, mod_dav must be in use for DELETE to be used for anything.

 

 

 

More info:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

 

 

 

Hrmm, actually, after looking through the Apache source just now (because I'm curious), it would seem that mod_dav handles PUT as well.

 

/* handle the PUT method */

static int dav_method_put(request_rec *r)

 

But now I'm going to find where that's called from and so on.  (Also, it looks like Script PUT /path/to/a/script can be used to tell Apache what to do with all PUT requests.)

 

 

 

 

 

Hehe this post was over kill, but been curious about this subconsciously for a while now I guess (although I knew that Apache by default does nothing with PUT/DELETE [well not nothing, but essentially nothing]).

[frist44]

Thanks for the insight Corbin!