httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Korthof ...@organic.com>
Subject Re: [PATCH] fix for satisfy merging
Date Mon, 03 Feb 1997 00:32:49 GMT
Umm, unless I'm missing something, this means setting SATISFY_ALL in the
.htdocs will be ignored, no?  (Because SATISFY_ALL == 0 currently.)  Is
that reasonable behavior?  -- It sounds like a security hole, since a
person creating a .htaccess would assume their Satisfy directive would be
in effect... 

The attached patch fixes that, at the expense of some clarity and a
potential problem with breaking other modules; I added an additional
constant, SATISFY_NOSPEC, which is the default value; I also looked
through all the source files in the standard code base, and changed the
appropriate bits of code to take that into account.  However, it does
change the default way in which core_dir_configs are created, which may
well affect other modules... would it make more sense to have a
SATISFY_ALL_EXPLICIT?

<sigh>  Not sure how else to fix this w/o cluttering some structure w/ a
variable to indicate whether or not Satisfy has been called explicitly for
each core_dir_config... (ugg).

If this behavior is fine, then we should still make one change, noted
below...

     -- Ed Korthof        |  Web Server Engineer --
     -- ed@organic.com    |  Organic Online, Inc --
     -- (415) 278-5676    |  Fax: (415) 284-6891 --

On Sat, 1 Feb 1997, Dean Gaudet wrote:

> On Sat, 1 Feb 1997, Marc Slemko wrote:
> >   * Satisfy Any can be changed if .htaccess exists
> >         If you give Satisfy Any in access.conf for a particular directory,
> >         and have a .htaccess in that directory, Satisfy mode reverts
> >         to Satisfy All even if the .htaccess has _no_ authentication
> >         directives.
> 
> This should fix this.
> 
> Dean
> 
> Index: http_core.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/http_core.c,v
> retrieving revision 1.62
> diff -c -3 -r1.62 http_core.c
> *** http_core.c	1997/02/01 22:03:36	1.62
> --- http_core.c	1997/02/02 07:06:35
> ***************
> *** 153,159 ****
>   
>       conf->sec = append_arrays (a, base->sec, new->sec);
>   
> !     conf->satisfy = new->satisfy;
>       return (void*)conf;
>   }
>   
> --- 156,162 ----
>   
>       conf->sec = append_arrays (a, base->sec, new->sec);
>   
> !     if( new->satisfy ) conf->satisfy = new->satisfy;

        if( new->satisfy == SATISFY_ALL) conf->satisfy = new->satisfy;

(currently SATISFY_ALL == 0, so the above works, but it's better to make
it explicit...)

>       return (void*)conf;
>   }
>   
> 
> 




Mime
View raw message