You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/03/26 22:28:37 UTC

DO NOT REPLY [Bug 41911] - SSLRequire does not restrict access to subdirectory under dav

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41911>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41911


basant.kukreja@sun.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO




------- Additional Comments From basant.kukreja@sun.com  2007-03-26 13:28 -------
As you written in your second point :
>2. Using a DE certificate, it is possible to get access to /dir
>where dir/subdir is also shown.  Under webdavs, it is also possible
>to get access to /dir/subdir  Is that "expected" behaviour?

I could not reproduce the issue. Here is my experimentation :

Here is my configuration :

<Directory "/disk/apache/apache2/htdocs/test">
 Order allow,deny
 Allow from all
    Options Indexes
     <IfModule mod_ssl.c>
      DAV on
      SSLOptions +StrictRequire
      SSLVerifyClient require
      SSLVerifyDepth 10
      SSLRequire       %{SSL_CLIENT_S_DN_C} eq "US"
     </IfModule>
</Directory>

<Directory "/disk/apache/apache2/htdocs/test/subdir">
 Order allow,deny
 Allow from all
     Options Indexes
     <IfModule mod_ssl.c>
      DAV on
      SSLOptions +StrictRequire
      SSLVerifyClient require
      SSLVerifyDepth 10
      SSLRequire       %{SSL_CLIENT_S_DN_C} eq "DE"
     </IfModule>
</Directory>


Using "US" based client certificate when I send the /test/ request then I
don't see the subdir in directory listing.

------------------------------------------------------
[/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem  -E
certs/client1.pem:password --dump-header - -o - https://lbasantk3:4005/test/
HTTP/1.1 200 OK
Date: Mon, 26 Mar 2007 20:09:53 GMT
Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2
Content-Length: 256
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /test</title>
 </head>
 <body>
<h1>Index of /test</h1>
<ul><li><a href="/"> Parent Directory</a></li>
<li><a href="test.html"> test.html</a></li>
</ul>
</body></html>
------------------------------------------------------


If I try to access /test/subdir/ then I get permission
------------------------------------------------------
[/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem  -E
certs/client1.pem:password --dump-header - -o - https://lbasantk3:4005/test/subdir/
HTTP/1.1 403 Forbidden
Date: Mon, 26 Mar 2007 20:10:55 GMT
Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2
Content-Length: 214
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /test/subdir/
on this server.</p>
</body></html>
------------------------------------------------------



Now If I change the subdirectory configuration e.g

<Directory "/disk/apache/apache2/htdocs/test/subdir">
 Order allow,deny
 Allow from all
     Options Indexes
     <IfModule mod_ssl.c>
      DAV on
      SSLOptions +StrictRequire
      SSLVerifyClient require
      SSLVerifyDepth 10
      SSLRequire       %{SSL_CLIENT_S_DN_C} eq "US"
     </IfModule>
</Directory>

[/disk/apache/apache2] $ bin/apachectl restart 

Now if I send the request again then I see the "/subdir" as part of my
listing.
------------------------------------------------------
[/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem  -E
certs/client1.pem:password --dump-header - -o - https://lbasantk3:4005/test/
HTTP/1.1 200 OK
Date: Mon, 26 Mar 2007 20:11:17 GMT
Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2
Content-Length: 296
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /test</title>
 </head>
 <body>
<h1>Index of /test</h1>
<ul><li><a href="/"> Parent Directory</a></li>
<li><a href="subdir/"> subdir/</a></li>
<li><a href="test.html"> test.html</a></li>
</ul>
</body></html>
------------------------------------------------------

Also as expected, if I send the /test/subdir/ URI then I get the listing.

Kindly provide more information which could be helpful to reproduce the issue.
Also kindly provide information about which webdav tool you are using.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org