You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by bu...@apache.org on 2010/11/30 01:58:29 UTC
DO NOT REPLY [Bug 50378] New: examples on might trick
people into wrong feeling of security
https://issues.apache.org/bugzilla/show_bug.cgi?id=50378
Summary: examples on <Location /> might trick people into wrong
feeling of security
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: Documentation
AssignedTo: docs@httpd.apache.org
ReportedBy: calestyo@scientia.net
Hi.
Marked this as major, as it might (IMHO) trick people or their understanding on
how to secure a server.
In several place, e.g.:
http://httpd.apache.org/docs/2.2/mod/core.html#location
http://httpd.apache.org/docs/2.2/sections.html#file-and-web ("What to use When"
section)
and maybe others
you describe that using <Location /> is perfectly secure (to do access control)
as it applies to all requests.
Depending on how merging works (see my other issue #50377) this is NOT totally
true, as the following example proves:
<Location />
Order allow,deny
Deny from all
</Location>
<LocationMatch /server-status>
SetHandler server-status
Order allow,deny
Allow from 127.0.0.1 ::1
</LocationMatch>
>From the <Location /> one might think "this applies to everything thus all
access to the server is forbidden"... however due to the 2nd section this is
actually not true.
Cheers,
Chris.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
DO NOT REPLY [Bug 50378] examples on might trick people
into wrong feeling of security
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50378
--- Comment #2 from Eric Covener <co...@gmail.com> 2010-11-30 17:19:20 EST ---
"perfectly safe" with respect to multiple Locations leading to what should have
been protected directories, which is legitimate and should not be interpreted
being some type of final configuration.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
DO NOT REPLY [Bug 50378] examples on might trick people
into wrong feeling of security
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50378
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Eric Covener <co...@gmail.com> 2010-11-30 17:17:29 EST ---
If you think there's an issue here, please quote the objectionable part
specifically in the report.
We're not going to warn every time a configuration section is used in the
manual to remember that there are usually multiple sections being merged.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org