On 11/08/2012 11:42 AM, Daniel Shahaf wrote:
> Thomas Åkesson wrote on Thu, Nov 08, 2012 at 15:15:03 +0100:
>>
>> On 5 nov 2012, at 09:11, Branko Čibej wrote:
>>
>>> On 05.11.2012 00:21, Thomas Åkesson wrote:
>>>> I did some tests with curl --head just as a sanity check. It seems
>>>> to be a good choice for access control. I primarily wanted to see
>>>> that HEAD requests were not allowed in situations where GET is not
>>>> (e.g. when user has access in directories below).
>>>>
>>>> The HEAD requests I performed (minimal curl command) did not cause
>>>> the server to provide Content-Length when returning "200 OK".
>>>
>>> Which is precisely what I was talking about in my other post. Such
>>> HEAD responses are invalid. If we implement HEAD, we have to do it
>>> correctly.
>>
>> Right, I was just confirming that.
>>
>> I think this is approaching off-topic for this thread. The server
>> (mod_dav_svn) currently does respond to HEAD requests without
>> Content-Length, which appears to be invalid. Perhaps a separate
>> issue/thread should discuss whether the HEAD response should be changed
>> to conform with the specification.
>>
>
> We could also add Content-Length if it's not required but cheap to
> compute. (svn_fs_file_length())
To date, I find myself unable through code inspection to see where "we" do
anything about HEAD requests. mod_dav itself doesn't explicitly handle that
request, so I'm wondering ... does Apache just handle a HEAD as a GET
under-the-hood and then discard the resulting response body? The comment
above the #defines for request types in httpd.h leads me to believe this is
likely:
[...]
* These constants are used in bit shifting masks of size int, so it is
* unsafe to have more methods than bits in an int. HEAD == M_GET.
[...]
--
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet <> www.collab.net <> Enterprise Cloud Development
Received on 2012-11-09 16:15:42 CET