httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregory A Lundberg <lundb...@vr.net>
Subject Re: general/2270: Required Patches to Apache sources for FrontPa
Date Mon, 25 May 1998 16:03:57 GMT
On Mon, 25 May 1998, Lars Eilebrecht wrote:

> >  Only one problem: this all depends upon having mod_auth, .htacess files,
> >  group and user (htpasswd) files.  What happens if one of these isn't
> >  there?  Why we let _anyone_ .. that's right .. anyone in the world .. have
> >  at our nice Frontpage (or whatever) CGIs.  That sucks raw eggs at MACH 9
> >  through a straw doesn't it?  All this work making things secure and some
> >  dumb user FTPs in and DELEtes his .htaccess file blowing it all away.
> 
> Why do you want to use .htaccess at all? IMHO such security relevant 
> things should only go into the main server configuration.

No choice.  I'm not Vermeer, Microsoft or Ready-to-Run Software.  If I
were I'd have put all this in the server config just as you would have.

Frontpage's admin.exe (and therefore author.exe) refuse work at all unless
the .htaccess (et al) exist and have things they recognize.  I know it
sucks but that's what they did and ours is not to reason why; ours is to
bow seven times daily toward Redmond.

> >  So we need one last change: we need to be ABSOLUTELY SURE _this_ URL was
> >  approved through mod_auth with a valid .htaccess and a valid password
> >  challenge and response. 
> 
> IMHO a check with ap_some_auth_required() is sufficient.  If
> authentication fails the request is already kicked out by mod_auth_any
> and with a call to ap_some_auth_required() you know that there is a
> require directive for this request and the user has been authenticated.
> Or am I wrong? 

That's what I'm looking for.

I guess I should point out that while I'm looking at all this stuff for
1.3, right now I'm only doing it for 1.2 (it's my production server and
I'm _not_ installing a moving target for that).  Also, I just took what I
got from RtR and cleaned up its lameness just to get it up for my
customers.  Next time through (1.3 version) I intend to do more, now that
I understand what it's doing and why.  When I'm done I'm hoping to have
_no_ RtR/MS code left so I can post it.  Right now there's that silly
mod_frontpage thingy still hanging in there changing the license terms
from Apache to standard-MS.

----

Gregory A Lundberg		Senior Partner, VRnet Company
1441 Elmdale Drive              lundberg@vr.net
Kettering, OH 45409-1615 USA    1-800-809-2195


Mime
View raw message