Here are some brief notes on what's going on here, and thoughts for the future:
This is a directory which allows essentially anonymous PUTs, via a back-end CGI put handler (mod_actions), which checks that is in fact being run as a child of the web server via a little paranoia support which I added to the CGI code (and which appear in the current release of my threaded server, though never fear, there's nothing thread-specific about it --- those just happen to be my working sources).
The directory and everything PUT into it is back-ended into RCS; the
environment of the CGI processes doing the PUTs are used for log messages,
and RCS itself stores the dates. Some basic sanity-checking is secured
by having the PUT handler simply refuse to do a PUT into a directory which
doesn't have an RCS subdirectory, or which has one, but no
WEB.PUT.CTL file inside it. There's also considerable other
paranoia...