Web Publishing Using HTTP PUT

<ol>
<li><p><b>Introduction</b></p>

<p>Besides specifying the well-known GET and POST methods familiar to CGI programmers 
on the World Wide Web, the HTTP specification also describes the lesser-known PUT 
method, useful for uploading files to the web server from PUT-capable HTML editors 
such as Netscape Navigator Gold (http://www.netscape.com) or AOLpress (http://www.aolpress.com). When used properly, the HTTP PUT method provides a useful alternative 
to FTP uploading and is easily integrated into the robust Apache web server by 
means of a special CGI program.</p>

<li><p><b>How to Use PUT</b></p>

<ul>
<li><p>Installation</p>

<ol>
<li><p>Log in to your virtual server in a telnet session.</p>

<li><p>Update your web server to the most recent version of Apache available by typing</p>

<pre>% updateapache
</pre>

<p>at the server prompt.</p>

<li><p>Install the PUT CGI distribution on the virtual server by typing</p>

<pre>% cd ~
% tar xvf /usr/local/contrib/put.tar
</pre>

<p>while in your home directory.</p>
</ol>

<li><p>Configuration</p>

<ol>
<li><p>Decide what directories on the virtual server you wish to make available for PUT publishing. 
For each directory hierarchy, add a configuration block to your ~/www/conf/ 
access. conf file similar to the following:</p>

<pre>
&lt;Directory $PATH&gt;
AllowOverride None
&lt;Limit PUT&gt; 
order allow, deny 
allow from all 
&lt;/Limit&gt; 
&lt;/Directory&gt; 
</pre>

<p>where &quot;$PATH&quot; is replaced with the directory name under your home directory. As an 
example, if your PUT publishers need to upload to directories under ~/www/htdocs, 
use &quot;/www/htdocs&quot; for &quot;$PATH&quot; in the configuration block listed above. Exercise caution 
when allowing overrides, since this may lead to security holes in environments 
involving multiple content authors by allowing end users to run untrusted CGI scripts.</p>

<li><p>Now, enable Apache to recognize the HTTP PUT method. Add the following lines to 
~/www/conf/srm.conf:</p>

<pre>ScriptAlias /auth-cgi-bin /www/ auth-cgi-bin 
Script PUT /auth-cgi-bin/ put
</pre>

<li><p>The PUT CGI relies on the $REMOTE_USER CGI environment variable for authenti-cation 
purposes, so the CGI needs to reside in a directory protected by HTTP password 
authentication. The easiest way to provide this is by protecting the ~/www/auth-cgi-bin 
directory with a .htaccess file. To do so, place a .htaccess file in ~/www/auth-cgi-bin 
containing the following:</p>

<pre>
AuthUserFile /etc/passwd 
AuthGroupFile /dev/null 
AuthName PUT METHOD UPLOAD 
AuthType Basic 
&lt;Limit PUT&gt; 
order allow, deny 
allow from all 
require user $USER 
&lt;/Limit&gt;
</pre>

<p>where &quot;$USER&quot; is the login name of a PUT author on your virtual server. Additional 
login names should be added to the end of the &quot;require&quot; line (separated by spaces) as 
needed. An alternate approach to using &quot;require user&quot; would be to use &quot;require group&quot; 
(with a valid &quot;AuthGroupFile&quot; directive) or to use &quot;require valid-user&quot; to enable all 
users that can successfully log in.</p>
</ol>

<li><p>Examples</p>

<ol>
<p>In a virtual server environment where a single trusted author will be developing all web 
site content the Apache configuration files might resemble the following:</p>

<p>Added to ~/www/conf/access.conf:</p>

<pre>&lt;Directory /www/htdocs&gt; 
AllowOverride All 
&lt;Limit PUT&gt; 
order allow, deny 
allow from all 
&lt;/Limit&gt; 
&lt;/Directory&gt; 
</pre>

<p>Added to ~/www/conf/srm.conf:</p>

<pre>ScriptAlias /auth-cgi-bin/www/auth-cgi-bin
Script PUT /auth-cgi-bin/put
</pre>

<p>In ~/www/auth-cgi-bin/.htaccess:</p>

<pre>AuthUserFile /etc/passwd 
AuthGroupFile /dev/null 
AuthName PUT METHOD UPLOAD
AuthType Basic
&lt;Limit PUT&gt;
order allow, deny
allow from all
require user fred
&lt;/Limit&gt;
</pre>

<p>Notice here that the access. conf file has enabled configuration overrides on a per-directory 
basis under ~/www/htdocs. PUT uploading is enabled only for a user named &quot;fred&quot; whose 
password information can be found in ~/etc/passwd (the virtual server password file). In 
~/etc/passwd the home directory for user &quot;fred&quot; should be /usr/local/etc/httpd/htdocs, 
since the PUT method CGI will restrict uploads to Fred's home directory or a subdirectory 
thereof. Since user &quot;fred&quot; has the ability to enable CGI scripting under ~/www/htdocs and 
is able to make other access modifications (such as creating password-protected web 
pages) by virtue of the &quot;AllowOverride All&quot; directive, it is important that you be able to 
trust Fred and his actions. Be very careful about enabling configuration overrides! Failure 
to understand the security ramifications of this important web server configuration issue 
can create very serious security holes on your virtual server. When in doubt, opt for a 
&quot;denied unless allowed&quot; security policy instead of an &quot;allowed unless denied&quot; policy.</p>

<p>Now suppose instead that you have three users --&quot;ernie&quot;, &quot;bert&quot;, and &quot;oscar&quot; --that would 
like to use HTTP PUT to upload their web pages. Assume that the home directory in ~/etc/passwd for each user is a directory under /usr/local/etc/httpd/htdocs named after the user, 
namely /usr/local/etc/httpd/htdocs/ernie, /usr/local/etc/httpd/htdocs/bert, and /usr/local/etc/httpd/htdocs/oscar. For the sake of this example, assume that Ernie, Bert, and Oscar 
are untrusted users. Each should be able to upload files under their respective directories, 
but access control and configuration modification privileges should be denied. The web 
server files for this example might resemble the following:</p>

<p>Added to ~/ www/ conf/ access. conf:</p>

<pre>&lt;Directory /www/htdocs/ernie&gt;
AllowOverride None 
&lt;Limit PUT&gt;
order allow, deny
allow from all
&lt;/Limit&gt;
&lt;/Directory&gt; 

&lt;Directory /www/htdocs/bert&gt;
AllowOverride None
&lt;Limit PUT&gt; 
order allow, deny 
allow from all 
&lt;/Limit&gt;
&lt;/Directory&gt;

&lt;Directory /www/htdocs/oscar&gt;
AllowOverride None
&lt;Limit PUT&gt;
order allow, deny
allow from all
&lt;/Limit&gt;
&lt;/Directory&gt;
</pre>

<p>Added to ~/www/conf/srm.conf:</p>

<pre>ScriptAlias /auth-cgi-bin/www/auth-cgi-bin
Script PUT /auth-cgi-bin/put
</pre>

<p>In ~/www/auth-cgi-bin/.htaccess:</p>

<pre>AuthUserFile /www/auth-cgi-bin/.htpasswd 
AuthGroupFile /dev/null
AuthName PUT METHOD UPLOAD
AuthType Basic 
&lt;Limit PUT&gt;
order allow, deny
allow from all
require user ernie bert oscar
&lt;/Limit&gt;
</pre>

<p>This example demonstrates that the password information for these users can reside in a 
file other than ~/etc/passwd. In this case, the username and password information is 
stored in ~/www/auth-cgi-bin/.htpasswd, thus allowing these users to have different passwords
for FTP/ POP services (stored in ~/etc/passwd) and for PUT uploading (stored here
in ~/www/auth-cgi-bin/.htpasswd). The ~/www/auth-cgi-bin/.htpasswd file is created
with the &quot;htpasswd&quot; command, as follows:</p>

<pre>% htpasswd -c ~/ www/ auth-cgi-bin/. htpasswd ernie 
Adding password for ernie. 
New password: &lt;--type "chickens" 
Re-type new password: &lt;--type "chickens" 
% htpasswd ~/www/auth-cgi-bin/.htpasswd bert 

Adding user bert
New password: &lt;--type "pigeons"
Re-type new password: &lt;--type "pigeons"
% htpasswd ~/ www/ auth-cgi-bin/. htpasswd oscar
Adding user oscar 
New password: &lt;--type "trashcan"
Re-type new password: &lt;--type "trashcan"
%
</pre>

<p>where Ernie's password is &quot;chickens&quot;, Bert's password is &quot;pigeons&quot;, and Oscar's password
is &quot;trashcan&quot;. Typing &quot;htpasswd&quot; by itself on a command line prints a help message:</p>

<pre>% htpasswd
Usage: htpasswd [-c] passwordfile username 
The -c flag creates a new file.
%
</pre>

<p>When finished, the ~/www/auth-cgi-bin/.htpasswd file resembles:</p>

<pre>ernie: 3nfbAgvhlAQkA
bert: xP/ OZpc77c3iE 
oscar: gKdDCb7EMFUaM 
</pre>

<p>containing username and DES password pairs separated by a colon.</p>

   </ol>
  </ul>

<li><p><b>Additional References</b></p>

<p>More information about configuring Apache to use the HTTP PUT method and using the 
PUT method and HTTP in general can be found at the following URLs:</p>

<p>
<a href="http://www.apacheweek.com/features/put">http://www.apacheweek.com/features/put</a><br>
<a href="http://www.mat.uni.torun.pl/~aztoruns/doc/apache-put.html">http://www.mat.uni.torun.pl/~aztoruns/doc/apache-put.html</a><br>
<a href="http://www.w3.org:80/Amaya/User/Put.html">http://www.w3.org:80/Amaya/User/Put.html</a><br>
<a href="http://www.w3.org:80/Protocols/">http://www.w3.org:80/Protocols/</a>
</p>

</ol>