You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by sl...@apache.org on 2003/07/31 21:06:07 UTC
cvs commit: httpd-docs-1.3/htdocs/manual/mod core.html.en mod_access.html.en
slive 2003/07/31 12:06:07
Modified: htdocs/manual/mod core.html.en mod_access.html.en
Log:
Backport a couple security related changes to 1.3.
Discourage use of <Limit> and document double-reverse
lookups in Allow/Deny.
Revision Changes Path
1.253 +10 -2 httpd-docs-1.3/htdocs/manual/mod/core.html.en
Index: core.html.en
===================================================================
RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/mod/core.html.en,v
retrieving revision 1.252
retrieving revision 1.253
diff -u -d -b -u -r1.252 -r1.253
--- core.html.en 7 Jul 2003 00:37:18 -0000 1.252
+++ core.html.en 31 Jul 2003 19:06:06 -0000 1.253
@@ -1958,11 +1958,19 @@
Require valid-user<br />
</Limit></code>
</blockquote>
- The method names listed can be one or more of: GET, POST, PUT,
+ <p>The method names listed can be one or more of: GET, POST, PUT,
DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH,
MKCOL, COPY, MOVE, LOCK, and UNLOCK. <strong>The method name is
case-sensitive.</strong> If GET is used it will also restrict
- HEAD requests. The TRACE method cannot be limited.
+ HEAD requests. The TRACE method cannot be limited.</p>
+
+ <p><strong>Warning:</strong> A <a
+ href="#limitexcept"><LimitExcept></a> section should
+ always be used in preference to a <a
+ href="#limit"><Limit></a> section when restricting access,
+ since a <a href="#limitexcept"><LimitExcept></a> section
+ provides protection against arbitrary methods.</p>
+
<hr />
<h2><a id="limitexcept" name="limitexcept"><LimitExcept>
1.33 +6 -2 httpd-docs-1.3/htdocs/manual/mod/mod_access.html.en
Index: mod_access.html.en
===================================================================
RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/mod/mod_access.html.en,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -d -b -u -r1.32 -r1.33
--- mod_access.html.en 29 Apr 2003 08:55:27 -0000 1.32
+++ mod_access.html.en 31 Jul 2003 19:06:07 -0000 1.33
@@ -112,10 +112,14 @@
access. Only complete components are matched, so the above
example will match <code>foo.apache.org</code> but it will
not match <code>fooapache.org</code>. This configuration will
- cause the server to perform a reverse DNS lookup on the
+ cause the server to perform a double reverse DNS lookup on the
client IP address, regardless of the setting of the <a
href="core.html#hostnamelookups">HostnameLookups</a>
- directive.</dd>
+ directive. It will do a reverse DNS lookup on the IP address to
+ find the associated hostname, and then do a forward lookup on
+ the hostname to assure that it matches the original IP address.
+ Only if the forward and reverse DNS are consistent and the
+ hostname matches will access be allowed.</dd>
<dt>A full IP address</dt>
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org