DO NOT REPLY [Bug 22499] New: - /server-status does NOT honor access-clause "deny"

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22499>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22499

/server-status does NOT honor access-clause "deny"

           Summary: /server-status does NOT honor access-clause "deny"
           Product: Apache httpd-1.3
           Version: 1.3.28
          Platform: Alpha
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Other
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: rosenbach@seninn.verwalt-berlin.de


OS is Tru64 UNIX 4.0E patchkit 4.

mod_status is compiled and enabled (and works).

I introduced (as stated in ./manual/mod/mod_status.html#extendedstatus)

    <Location /server-status>
    SetHandler server-status
    Order Deny,Allow
    Deny from all
    Allow from myhost.foo.com
    </Location>

But other hosts than the given one are allowed to see the server status!

BTW: in my case "myhost" and the other host were connected via some proxy-
server (which is NOT myhost).
So, in my point of view, NONE of them should have been honored given the config 
above ... ???

Best regards, Martin Rosenbach

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org