You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2012/12/22 22:16:09 UTC
svn commit: r1425345 - in /httpd/httpd/trunk/docs/manual/mod:
mod_authz_core.html.en mod_authz_core.xml
Author: covener
Date: Sat Dec 22 21:16:09 2012
New Revision: 1425345
URL: http://svn.apache.org/viewvc?rev=1425345&view=rev
Log:
caution about merging Location settings on top of directory/files authz config
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_authz_core.html.en
httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core.html.en?rev=1425345&r1=1425344&r2=1425345&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.html.en Sat Dec 22 21:16:09 2012
@@ -500,6 +500,18 @@ Require group admin
entire request, and subsequent <code class="directive">Require</code> directives
are ignored.</p>
+ <div class="warning"><h3>Security Warning</h3>
+ <p>Exercise caution when setting authorization directives in
+ <code class="directive"><a href="../mod/core.html#location">Location</a></code> sections
+ that overlap with content served out of the filesystem.
+ By default, these <a href="../sections.html#mergin">configuration sections</a> overwrite authorization configuration
+ in <code class="directive"><a href="../mod/core.html#directory">Directory</a></code>,
+ and <code class="directive"><a href="../mod/core.html#files">Files</a></code> sections.</p>
+ <p>The <code class="directive"><a href="#authmerging">AuthMerging</a></code> directive
+ can be used to control how authorization configuration sections are
+ merged.</p>
+ </div>
+
<h3>See also</h3>
<ul>
<li><a href="../howto/auth.html">Authentication, Authorization,
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml?rev=1425345&r1=1425344&r2=1425345&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml Sat Dec 22 21:16:09 2012
@@ -355,6 +355,19 @@ Require group admin
directive. Thus the first one to authorize a user authorizes the
entire request, and subsequent <directive>Require</directive> directives
are ignored.</p>
+
+ <note type="warning"><title>Security Warning</title>
+ <p>Exercise caution when setting authorization directives in
+ <directive module="core">Location</directive> sections
+ that overlap with content served out of the filesystem.
+ By default, these <a href="../sections.html#mergin"
+ >configuration sections</a> overwrite authorization configuration
+ in <directive module="core">Directory</directive>,
+ and <directive module="core">Files</directive> sections.</p>
+ <p>The <directive module="mod_authz_core">AuthMerging</directive> directive
+ can be used to control how authorization configuration sections are
+ merged.</p>
+ </note>
</usage>
<seealso><a href="../howto/auth.html">Authentication, Authorization,