Potential Satisfy problem

[Paul Sutton <pa...@ukweb.com>]

There is a problem with the Satisfy directive. If you have a .htaccess
file within an area protected by "Satisfy Any" it reverts to the "Satisfy
All"  behaviour.

For example, here is a Satisfy Any setup in access.conf:

  <Directory /usr/www>
  AuthType Basic
  AuthName Local
  AuthUserFile /something

  <Limit GET>
  order deny,allow
  deny from all
  allow from local.net.
  require valid-user
  satisfy any
  </Limit>
  </Directory>

This works fine is it is. If you come from *.local.net, you will get in
without being asked for a password. This is the 'any' behaviour. However
if you create a .htaccess file in /usr/www and include any _core_
directive, the 'any' function will not work, and you will be asked for
a username and password (the 'all' behaviour). The DefaultType directive
is handled by the core, so creating this .htaccess file in /usr/www
causes the Satisfy Any functionality to be lost:

  DefaultType text/html

This is because the value of the 'satisfy' field in the per-dir config
when two dirs are merged in always set to the most-recently processed
per-dir config, in this case, the .htaccess file. Even though the
.htaccess file doesn't contain any directives related to authentication. 

Now this _might_ be the desired behaviour, but it is not very intuitive. 
The fix is to update the merge_core_dir_config so that the satisfy setting
is only updated if it is changed in the new dir you are merging. However
you cannot currently do this because the value for SATISY_ALL is 0, which
is the same as when no satisy directive is present.

Paul
UK Web Ltd