https://issues.apache.org/bugzilla/show_bug.cgi?id=50378
Summary: examples on <Location /> might trick people into wrong
feeling of security
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: Documentation
AssignedTo: [email protected]
ReportedBy: [email protected]
Hi.
Marked this as major, as it might (IMHO) trick people or their understanding on
how to secure a server.
In several place, e.g.:
http://httpd.apache.org/docs/2.2/mod/core.html#location
http://httpd.apache.org/docs/2.2/sections.html#file-and-web ("What to use When"
section)
and maybe others
you describe that using <Location /> is perfectly secure (to do access control)
as it applies to all requests.
Depending on how merging works (see my other issue #50377) this is NOT totally
true, as the following example proves:
<Location />
Order allow,deny
Deny from all
</Location>
<LocationMatch /server-status>
SetHandler server-status
Order allow,deny
Allow from 127.0.0.1 ::1
</LocationMatch>
>From the <Location /> one might think "this applies to everything thus all
access to the server is forbidden"... however due to the 2nd section this is
actually not true.
Cheers,
Chris.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
