httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cove...@apache.org
Subject svn commit: r1425346 - in /httpd/httpd/branches/2.4.x/docs/manual/mod: mod_authz_core.html.en mod_authz_core.xml
Date Sat, 22 Dec 2012 21:19:12 GMT
Author: covener
Date: Sat Dec 22 21:19:12 2012
New Revision: 1425346

URL: http://svn.apache.org/viewvc?rev=1425346&view=rev
Log:
Merge r1425345 from https://svn.apache.org/repos/asf/httpd/httpd/trunk/:

caution about merging Location settings on top of directory/files authz config

Modified:
    httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.html.en
    httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml

Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.html.en?rev=1425346&r1=1425345&r2=1425346&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.html.en (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.html.en Sat Dec 22 21:19:12
2012
@@ -500,6 +500,18 @@ Require group admin
     entire request, and subsequent <code class="directive">Require</code> directives
     are ignored.</p>
 
+    <div class="warning"><h3>Security Warning</h3>
+    <p>Exercise caution when setting authorization directives in
+    <code class="directive"><a href="../mod/core.html#location">Location</a></code>
sections
+    that overlap with content served out of the filesystem.  
+    By default, these <a href="../sections.html#mergin">configuration sections</a>
overwrite authorization configuration
+    in <code class="directive"><a href="../mod/core.html#directory">Directory</a></code>,
 
+    and <code class="directive"><a href="../mod/core.html#files">Files</a></code>
sections.</p>
+    <p>The <code class="directive"><a href="#authmerging">AuthMerging</a></code>
directive 
+    can be used to control how authorization configuration sections are 
+    merged.</p>
+    </div>
+
 <h3>See also</h3>
 <ul>
 <li><a href="../howto/auth.html">Authentication, Authorization,

Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml?rev=1425346&r1=1425345&r2=1425346&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml Sat Dec 22 21:19:12 2012
@@ -355,6 +355,19 @@ Require group admin
     directive.  Thus the first one to authorize a user authorizes the
     entire request, and subsequent <directive>Require</directive> directives
     are ignored.</p>
+
+    <note type="warning"><title>Security Warning</title>
+    <p>Exercise caution when setting authorization directives in
+    <directive module="core">Location</directive> sections
+    that overlap with content served out of the filesystem.  
+    By default, these <a href="../sections.html#mergin"
+    >configuration sections</a> overwrite authorization configuration
+    in <directive module="core">Directory</directive>,  
+    and <directive module="core">Files</directive> sections.</p>
+    <p>The <directive module="mod_authz_core">AuthMerging</directive> directive

+    can be used to control how authorization configuration sections are 
+    merged.</p>
+    </note>
 </usage>
 
 <seealso><a href="../howto/auth.html">Authentication, Authorization,



Mime
View raw message