httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43196] - Require statement not honored.
Date Wed, 29 Aug 2007 08:50:45 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43196>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43196





------- Additional Comments From stefano.mosconi@gmail.com  2007-08-29 01:50 -------
(In reply to comment #11)
Hi Rici,

I'm working with Jesus at the thing.

> Although the <Location /> block presented above has a 'Require ldap-attribute'
> directive in it, I suspect that the configuration actually used to generate
> the debugging output did not have that directive, and that the only require
> directive in the <Location /> block was "require valid-user". That's
> consistent with the debugging output, and demonstrates that the <Location />
> block was merged last (in the second debugging run, with a direct url to the
> file); the request succeeds since the userid has been authenticated.

You are right the config of the debug output had just "require valid-user" as
require directive.

> This leaves the question of why mod_autoindex denied access to the file when
> creating a directory listing. The answer is that mod_autoindex does a
> ap_sub_req_lookup_dirent() to check the file; as far as I know, that version
> of sub_req does not do a <Location /> merge.
> 
> If there is a bug here, it's a documentation bug; the documentation for
> <Location> correctly states:
>   Use <Location> to apply directives to content that lives outside
>   the filesystem. For content that lives in the filesystem, use
>   <Directory> and <Files>.
> 
> But then goes on to say:
>   An exception is <Location />, which is an easy way to apply
>   a configuration to the entire server.
> 
> As can be seen here, attempts to use <Location /> for the purpose of
> applying a default configuration to the entire server are likely to
> fail, and the documentation possibly should be tightened up.

So you are saying that the <Location /> "wins" over the .htaccess inside the
directory because is merged last and the thing that we put inside the
<Directory> an "AllowOverride All" does non count at all...

The fact that mod_autoindex is not showing the files in any case is highly
misleading. A non careful administrator could just stop there and conclude that
"yes it's working". So either also mod_autoindex shows the files or also
mod_authnz_ldap behaves as mod_autoindex. We cannot have to modules that work in
so different way on a so crucial thing.

Moreover this way the admin lose a lot of power on fine-grained access control
and easiness of configuration.

But anyway those are just my opinions, on the other hand what is your advice?
Just change the <Location /> for the root <Directory ...> and then specify other
Locations residing outside that directory if needed?

Thanks
Stefano

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message