You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Scott Stevenson <sc...@websculptors.com> on 1999/03/14 11:35:06 UTC

mod_access/4054: Allow directive does not correctly override eariler Deny directive

>Number:         4054
>Category:       mod_access
>Synopsis:       Allow directive does not correctly override eariler Deny directive
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sun Mar 14 02:40:01 PST 1999
>Last-Modified:
>Originator:     scotts@websculptors.com
>Organization:
apache
>Release:        1.3.4
>Environment:
Red Hat 5.2 on Pentium II

[root@pele logs]# uname -a
Linux pele.golaso.com 2.0.36 #1 Tue Oct 13 22:17:11 EDT 1998 i686 unknown

[root@pele logs]# gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.7.2.3/specs
gcc version 2.7.2.3
>Description:
The following (contained within VirtualHost) should deny access to the docroot for everyone except 128.66.12.2:

<Directory />
Options None
AllowOverride None
Order allow,deny
Deny from all
</Directory>

<Directory "/SomeFilesystem/SomeDocroot">
Options FollowSymLinks IncludesNoExec
AllowOverride None
Order allow,deny
Deny from all
Allow from 128.66.12.2
</Directory>

Unfortunately, it just denies access to everyone, including 128.66.12.2.

The workaround is to remove the "Deny from all" from the second Directory directive:

<Directory />
Options None
AllowOverride None
Order allow,deny
Deny from all
</Directory>

<Directory "/SomeFilesystem/SomeDocroot">
Options FollowSymLinks IncludesNoExec
AllowOverride None
Order allow,deny
#Deny from all
Allow from 128.66.12.2
</Directory>

In which case, the desired behavior is achieved. The end result is the same, but the ambiguity caused me about an hour of frustration. Additionally, the mod_access docs seem to support the idea the the first example above should work.
>How-To-Repeat:

>Fix:

>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]