You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Lars Eilebrecht <la...@apache.org> on 1998/08/14 16:26:07 UTC

PR#2850, mutual-failure vs. allow,deny

Hi,

I already closed the PR, but I noticed that my response is wrong, because I
always thought that access is granted if 'order allow,deny' is used and
the address is on the allow line, whether it is on the deny line or not.

This is the code from check_dir_access():

-snip-

    if (a->order[method] == ALLOW_THEN_DENY) {
        ret = FORBIDDEN;
        if (find_allowdeny(r, a->allows, method))
            ret = OK;
        if (find_allowdeny(r, a->denys, method))
            ret = FORBIDDEN;
    }
    else if (a->order[method] == DENY_THEN_ALLOW) {
        if (find_allowdeny(r, a->denys, method))
            ret = FORBIDDEN;
        if (find_allowdeny(r, a->allows, method))
            ret = OK;
    }
    else {
        if (find_allowdeny(r, a->allows, method)
            && !find_allowdeny(r, a->denys, method))
            ret = OK;
        else
            ret = FORBIDDEN;
    }

-snap-

Maybe I'm to confused to see it, but I'm not able to built
a mutual-failure configuration that cannot be
expressed with either 'order allow,deny' or 'order deny,allow'.

Why do we need 'mutual-failure'?

ciao...
-- 
Lars Eilebrecht                               - Don't look back...
sfx@unix-ag.org                        - the lemmings are gaining on you.
http://www.home.unix-ag.org/sfx/