You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Mike Prettejohn <mh...@netcraft.co.uk> on 1996/07/22 10:09:07 UTC

Re: NCSA satisfy any .htaccess directive (fwd)

At this point, I think I would be interested in hearing what the people
on your list have to say.

We're both agreed on what happens, but Brandon thinks it's a documentation
error, and I think it's a server error. 

My premise is that there's no reason at all for the server to stick an
implicit 'allow from all' after the 'deny from all' below.

Mike
----- Forwarded message from blong@uiuc.edu -----
On 7/21, Mike Prettejohn uttered the following other thing:
> : On 7/21, Mike Prettejohn uttered the following other thing:
> : > Hi Brandon,
> : > 
> : > 
> : > I wondered if you knew about this; I mailed httpd@ncsa.uiuc.edu about
> : > a week ago, but haven't had a response. 
> : > 
> : > There seems to be at least one major gotcha in the code implementing
> : > 'satisfy any'; the following lets everyone through without prompting
> : > for a username/passwd.
> : > 
> : > <Limit GET>
> : > order deny,allow
> : > deny from all
> : > require valid-user
> : > satisfy any
> : > </Limit>
> : 
> : This is because the default allow is to allow from all.  
> 
> That's at odds with the documentation.
> 
> http://hoohoo.ncsa.uiuc.edu/docs/setup/access/allow.html
> 
> says that no default applies for allow.

Ah, that's a problem with Rob's english.  By defaults, he meant compile
time, generally.  Or something.  In any case, thanks for pointing that out,
we'll be happy to change the documentation.

> : To make this work,
> : you need to either change to order allow,deny, or to add allow from none
> : I'll be the first to admit that the security structure of the current
> : server is not particularly obvious, but we're kinda stuck with it.

Brandon
-- 
 Brandon Long      "Its much more fun to be sand than oil in the
 HTTPd/SDG/NCSA         machinery of life."
 blong@fiction.net                 -- Unknown
 www.uiuc.edu/ph/www/blong         Don't worry, these aren't even my views.

----- End of forwarded message from blong@uiuc.edu -----

-- 
Mike Prettejohn                          http://www.netcraft.com
mhp@netcraft.com    Phone +44 1225 447500    Fax +44 1225 448600
Netcraft  Rockfield House Granville Road  Bath  BA1 9BQ  England

----- End of forwarded message from Mike Prettejohn -----

-- 
Rob Hartill (robh@imdb.com)
The Internet Movie Database (IMDb)  http://www.imdb.com/
           ...more movie info than you can poke a stick at.