httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: [PATCH] fix for satisfy merging
Date Mon, 03 Feb 1997 00:50:59 GMT
You're not missing anything, that's my fault for doing too many things at
once last night.  My message should have said "here's where this should be
fixed I'm doing something else right now though" :)  You forgot to include
your patch.

Dean

On Sun, 2 Feb 1997, Ed Korthof wrote:

> Umm, unless I'm missing something, this means setting SATISFY_ALL in the
> .htdocs will be ignored, no?  (Because SATISFY_ALL == 0 currently.)  Is
> that reasonable behavior?  -- It sounds like a security hole, since a
> person creating a .htaccess would assume their Satisfy directive would be
> in effect... 
> 
> The attached patch fixes that, at the expense of some clarity and a
> potential problem with breaking other modules; I added an additional
> constant, SATISFY_NOSPEC, which is the default value; I also looked
> through all the source files in the standard code base, and changed the
> appropriate bits of code to take that into account.  However, it does
> change the default way in which core_dir_configs are created, which may
> well affect other modules... would it make more sense to have a
> SATISFY_ALL_EXPLICIT?
> 
> <sigh>  Not sure how else to fix this w/o cluttering some structure w/ a
> variable to indicate whether or not Satisfy has been called explicitly for
> each core_dir_config... (ugg).
> 
> If this behavior is fine, then we should still make one change, noted
> below...
> 
>      -- Ed Korthof        |  Web Server Engineer --
>      -- ed@organic.com    |  Organic Online, Inc --
>      -- (415) 278-5676    |  Fax: (415) 284-6891 --
> 
> On Sat, 1 Feb 1997, Dean Gaudet wrote:
> 
> > On Sat, 1 Feb 1997, Marc Slemko wrote:
> > >   * Satisfy Any can be changed if .htaccess exists
> > >         If you give Satisfy Any in access.conf for a particular directory,
> > >         and have a .htaccess in that directory, Satisfy mode reverts
> > >         to Satisfy All even if the .htaccess has _no_ authentication
> > >         directives.
> > 
> > This should fix this.
> > 
> > Dean
> > 
> > Index: http_core.c
> > ===================================================================
> > RCS file: /export/home/cvs/apache/src/http_core.c,v
> > retrieving revision 1.62
> > diff -c -3 -r1.62 http_core.c
> > *** http_core.c	1997/02/01 22:03:36	1.62
> > --- http_core.c	1997/02/02 07:06:35
> > ***************
> > *** 153,159 ****
> >   
> >       conf->sec = append_arrays (a, base->sec, new->sec);
> >   
> > !     conf->satisfy = new->satisfy;
> >       return (void*)conf;
> >   }
> >   
> > --- 156,162 ----
> >   
> >       conf->sec = append_arrays (a, base->sec, new->sec);
> >   
> > !     if( new->satisfy ) conf->satisfy = new->satisfy;
> 
>         if( new->satisfy == SATISFY_ALL) conf->satisfy = new->satisfy;
> 
> (currently SATISFY_ALL == 0, so the above works, but it's better to make
> it explicit...)
> 
> >       return (void*)conf;
> >   }
> >   
> > 
> > 
> 
> 
> 
> 


Mime
View raw message