httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52406] Order not inherited by subdirectories
Date Mon, 02 Jan 2012 16:20:39 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52406

Christoph Anton Mitterer <calestyo@scientia.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #3 from Christoph Anton Mitterer <calestyo@scientia.net> 2012-01-02 16:20:39
UTC ---
Well ....
a) IMHO this should really be changed... it just seems to contradict how
everything else works,... and is also a security risk, as the default "Order
deny,allow" is rather "open".

Apache 2.3/2.4 could be a good opportunity to introduce such a (major) change
in behaviour.

I think it would also rather "uncritical" to do this...
- The default is "order deny,allow" anyway... if this is set in the parent
directory (or not set at all and therefore left at the default)... it was till
now also the case for subdirs (but just because it "started there from scratch"
and not because it was inherited.

- If the parent directory had the non-default allow,deny set,.. it will now be
inherited and change potentially semantics (cause before it was reset to start
with deny,allow):
But this would not open any security problems,... it would rather just deny any
accesses that were allowed before.
This IS of course some major change, but not a bad one,.. and it would be
quickly noted (in case people wouldn't read the release notes, that would then
notify about this change).


b) In case the inheritance behaviour of Order is not corrected as I propose
above:
I guess this should be noted in serveral places, not just mod_access (which is
depreated anyway:

- mod_access
- mod_authz_host
There it should IMHO not only be noted in the Order directive,.. but also in
the Deny/Allow directives, as they're directly affected

I'd further notice it in:
- sections.html
Perhaps by adding a new small chapter, that informs about this special case.

- security_tips.html
As this is IMHO security related (because the behaviour is strange, and the
default deny,allow is lax)...



Cheers,
Chris.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message