Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

PR 47019 Limit/LimitExcept bug or documentation bug?

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


sf at sfritsch

Oct 31, 2009, 4:14 PM

Post #1 of 3 (129 views)
Permalink
PR 47019 Limit/LimitExcept bug or documentation bug?
Hi,

consider this config:
===================
<Location /sec>
Order deny,allow
Deny from all
Allow from 1.2.3.4
</Location>

<Location />
<LimitExcept GET POST >
Order allow,deny
Deny from all
</LimitExcept>
</Location>
===================

From the LimitExcept docs, I would expect that the <Location /> block
does not affect GET/POST requests at all. But actually, it is allowing
access from everywhere, overriding the previous <Location /sec> block.

It this a bug in httpd or a documentation problem? I would argue it is
a httpd bug because it can easily open security holes in a
configuration.

PR 47019 is filed against 1.3, but the issue affects 2.x/trunk, too.

Cheers,
Stefan


nick at webthing

Nov 1, 2009, 4:01 AM

Post #2 of 3 (118 views)
Permalink
Re: PR 47019 Limit/LimitExcept bug or documentation bug? [In reply to]
On 31 Oct 2009, at 23:14, Stefan Fritsch wrote:

> Hi,
>
> consider this config:
> ===================
> <Location /sec>
> [chop]
> <Location />
> [chop]
> ===================
>
> From the LimitExcept docs, I would expect that the <Location /> block
> does not affect GET/POST requests at all. But actually, it is allowing
> access from everywhere, overriding the previous <Location /sec> block.

http://httpd.apache.org/docs/2.2/sections.html#mergin

--
Nick Kew


sf at sfritsch

Nov 1, 2009, 4:13 AM

Post #3 of 3 (118 views)
Permalink
Re: PR 47019 Limit/LimitExcept bug or documentation bug? [In reply to]
On Sunday 01 November 2009, Nick Kew wrote:
> On 31 Oct 2009, at 23:14, Stefan Fritsch wrote:
> > Hi,
> >
> > consider this config:
> > ===================
> > <Location /sec>
> > [chop]
> > <Location />
> > [chop]
> > ===================
> >
> > From the LimitExcept docs, I would expect that the <Location />
> > block does not affect GET/POST requests at all. But actually, it
> > is allowing access from everywhere, overriding the previous
> > <Location /sec> block.
>
> http://httpd.apache.org/docs/2.2/sections.html#mergin
>
I am aware that directives in the <Location /> section override
directives in the earlier <Location /sec> section. But the <Location
/> does _not_ contain anything that affects GET/POST. Therefore I
would expect that the <Location /sec> section still applies for
GET/POST.


The problem is that

<LimitExcept X>
... some access control ...
</LimitExcept>

is treated as

<LimitExcept X>
... some access control ...
</LimitExcept>
<Limit X>
Allow from all
</Limit>

but this is not obvious from the documentation. And it makes it a PITA
to globally disallow certain methods (except if using mod_rewrite).

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.