httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <and...@www.elsevier.co.uk>
Subject Re: authentication of included documents
Date Tue, 04 Apr 1995 17:14:21 GMT
> This may not be much of an issue, but I'll mention it anyway...
> 
> Suppose I have a parsed html file, /john/secret.shtml that is protected
> by basic authentication in the realm (kingdom?) JohnsStuff.
> This file #includes's another document, /david/bb.html, which is also
> protected, in the realm TheBB.
> 
> What should httpd do when a user accesses /john/secret.shtml with a correct
> username & password for the JohnsStuff realm? At present, it will look up
> the username and password in the TheBB realm, and if there is a match then
> the #include will succeed.

What is a realm?  did I miss a patch update or something?

> This seems wrong to me. The client has only provided credentials for the
> JohnsStuff realm, so it shouldn't be able to access files in the TheBB realm.

This is closely related to the problems we discussed earlier last month about
#includes from other directories.  I make use of a /Admin/default_copyright.html
and /Admin/default_timestamp.html amongst others which are themselves unprotected
- there's no /Admin/.htaccess - but which can be included by other protected files,
eg : /Secure/index.html  where /Secure/.htaccess exists.

If the protocol we're using can't handle multiple uid/pwd pairs then a situation
where two *different* .htaccess files had jurisdiction over the available
information would be unworkable - such is the case.

> Of course, the actually probability of a security hole because two independent
> users have the same usernames and passwords is small.

The model you suggest - really I suppose you mean the .htaccess groups
stuff we already have - is interesting [or did I dream up .htgroups?  I don't
think so]  The situation you describe comes about when two uid/pwd pairs are
identical, one from each of john/.htaccess and /david/.htaccess.  If you really mean
these uid/pwd pairs to represent different people then you must use a different
.htpasswd file and you must also ensure that the uid/pwd's are unique.

> ...the actual probability of a security hole because two independent
> users have the same usernames and passwords is small.

The actual probability of a security hole because two independent
users have the same usernames and passwords must be zero, otherwise you break
httpd's security - such as it is.

> 
> I think that httpd should disallow includes (and execs) of documents in
> different realms. What do folks think?

What is a realm?

Maybe HTTP should allow multiple uid/passwd to be associated with each access.  This
is an issue for Rob F tho' I guess.

>  David.
> 

Ay.


Mime
View raw message