You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by sl...@apache.org on 2003/07/31 21:06:07 UTC

cvs commit: httpd-docs-1.3/htdocs/manual/mod core.html.en mod_access.html.en

slive       2003/07/31 12:06:07

  Modified:    htdocs/manual/mod core.html.en mod_access.html.en
  Log:
  Backport a couple security related changes to 1.3.
  Discourage use of <Limit> and document double-reverse
  lookups in Allow/Deny.
  
  Revision  Changes    Path
  1.253     +10 -2     httpd-docs-1.3/htdocs/manual/mod/core.html.en
  
  Index: core.html.en
  ===================================================================
  RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/mod/core.html.en,v
  retrieving revision 1.252
  retrieving revision 1.253
  diff -u -d -b -u -r1.252 -r1.253
  --- core.html.en	7 Jul 2003 00:37:18 -0000	1.252
  +++ core.html.en	31 Jul 2003 19:06:06 -0000	1.253
  @@ -1958,11 +1958,19 @@
          Require valid-user<br />
          &lt;/Limit&gt;</code>
       </blockquote>
  -    The method names listed can be one or more of: GET, POST, PUT,
  +    <p>The method names listed can be one or more of: GET, POST, PUT,
       DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH,
       MKCOL, COPY, MOVE, LOCK, and UNLOCK. <strong>The method name is
       case-sensitive.</strong> If GET is used it will also restrict
  -    HEAD requests. The TRACE method cannot be limited.
  +    HEAD requests. The TRACE method cannot be limited.</p>
  +
  +    <p><strong>Warning:</strong> A <a
  +    href="#limitexcept">&lt;LimitExcept&gt;</a> section should
  +    always be used in preference to a <a
  +    href="#limit">&lt;Limit&gt;</a> section when restricting access,
  +    since a <a href="#limitexcept">&lt;LimitExcept&gt;</a> section
  +    provides protection against arbitrary methods.</p>
  +
       <hr />
   
       <h2><a id="limitexcept" name="limitexcept">&lt;LimitExcept&gt;
  
  
  
  1.33      +6 -2      httpd-docs-1.3/htdocs/manual/mod/mod_access.html.en
  
  Index: mod_access.html.en
  ===================================================================
  RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/mod/mod_access.html.en,v
  retrieving revision 1.32
  retrieving revision 1.33
  diff -u -d -b -u -r1.32 -r1.33
  --- mod_access.html.en	29 Apr 2003 08:55:27 -0000	1.32
  +++ mod_access.html.en	31 Jul 2003 19:06:07 -0000	1.33
  @@ -112,10 +112,14 @@
         access. Only complete components are matched, so the above
         example will match <code>foo.apache.org</code> but it will
         not match <code>fooapache.org</code>. This configuration will
  -      cause the server to perform a reverse DNS lookup on the
  +      cause the server to perform a double reverse DNS lookup on the
         client IP address, regardless of the setting of the <a
         href="core.html#hostnamelookups">HostnameLookups</a>
  -      directive.</dd>
  +      directive.  It will do a reverse DNS lookup on the IP address to
  +      find the associated hostname, and then do a forward lookup on
  +      the hostname to assure that it matches the original IP address.
  +      Only if the forward and reverse DNS are consistent and the
  +      hostname matches will access be allowed.</dd>
   
         <dt>A full IP address</dt>
   
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org