[Bug 69840] New: Insecure WebDAV example

Sat, 04 Oct 2025 04:34:29 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69840

            Bug ID: 69840
           Summary: Insecure WebDAV example
           Product: Apache httpd-2
           Version: 2.4.65
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Created attachment 40112
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=40112&action=edit
httpd.conf

https://httpd.apache.org/docs/current/mod/mod_dav.html#example contains the
following *insecure* example configuration:

<Directory "/usr/local/apache2/htdocs/foo">
    Require all granted
…
    <LimitExcept GET POST OPTIONS>
        Require user admin
    </LimitExcept>
</Directory>

According to
https://httpd.apache.org/docs/2.4/de/mod/mod_authz_core.html#requireall both
'Require' are wrapped in an an implicit '<RequireAny>' which renders the
'<LimitExcept>' moot:

> When multiple Require directives are used in a single configuration section
>  and are not contained in another authorization directive like <RequireAll>,
> they are implicitly contained within a <RequireAny> directive


I have created a minimal Docker image with the attached `httpd.conf` to verify
this:
```
echo
'<html><head><title>DAV</title></head><body><div>Hello</div></body></html>'
>index.html

cat >Dockerfile <<__DOCKER__
FROM httpd:2.4
RUN install -d -m 2775 -o www-data -g www-data /usr/local/apache2/htdocs/dav
/usr/local/apache2/var
RUN htpasswd -cb5 /usr/local/apache2/user.passwd admin admin
COPY index.html /usr/local/apache2/htdocs/dav/index.html
COPY httpd.conf /usr/local/apache2/conf/httpd.conf
__DOCKER__

docker build -t apache2 .
docker run --rm -d --name apache2 -p 8888:80 apache2

curl -T /etc/debian_version -X PUT -i http://localhost:8888/dav/allowed.txt
# HTTP/1.1 201 Created

curl -X DELETE -i http://localhost:8888/dav/index.html
# HTTP/1.1 204 No Content
```

Applying the following change restores the desired behavior, that
authentication is required for DAV operations like PUT and DELETE:
-    Require all granted
-    <LimitExcept GET POST OPTIONS>
-        Require user admin
-    </LimitExcept>
+    Require method GET POST OPTIONS
+    Require user admin

When you file the documentation, please also fix Bug #66652

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to