httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47019] New: LimitExcept inside LocationMatch wipes all other access controls
Date Tue, 14 Apr 2009 01:01:11 GMT

           Summary: LimitExcept inside LocationMatch wipes all other
                    access controls
           Product: Apache httpd-1.3
           Version: 1.3.41
          Platform: Other
        OS/Version: FreeBSD
            Status: NEW
          Severity: major
          Priority: P2
         Component: core

Consider the following configuration:

 <LocationMatch ".">
  <LimitExcept GET POST>
     Order deny,allow
     Deny from all

Using the above configuration renders all other mod_access host/IP control
statements silently inoperative (i.e. Order/Deny/Allow). 

My test case was a stock Apache 1.3.41 with the following configure target:

./configure --with-layout=Apache --prefix=/some/prefix --enable-shared=max \

Besides two production sites this was discovered on, I tested the simple case
above with a directory section like so (modulo the directory name which can be

 <Directory /foo>
  Order deny,allow
  Allow from
  Deny from all

then we start apache normally as a non-root user:

 apache/bin/apachectl start

put a simple foo.html file in /foo, then:

 lynx -dump

tests the IP based access from the host name and

 lynx -dump

tests the localhost access.

I can provide more information on request. I believe the LocationMatch
directive to be correctly constructed, and such a block should not silently
remove all your other access controls.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message