Return-Path: 
 <dev-return-75735-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id E0E61D0A9
	for <apmail-httpd-dev-archive@www.apache.org>;
 Thu,  2 Aug 2012 21:49:44 +0000 (UTC)
Received: (qmail 4735 invoked by uid 500); 2 Aug 2012 21:49:44 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 4639 invoked by uid 500); 2 Aug 2012 21:49:44 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 4629 invoked by uid 99); 2 Aug 2012 21:49:43 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Aug 2012 21:49:43 +0000
X-ASF-Spam-Status: No, hits=0.0 required=5.0
	tests=SPF_HELO_FAIL,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of minfrin@sharp.fm designates
 174.143.229.200 as permitted sender)
Received: from [174.143.229.200] (HELO chandler.sharp.fm) (174.143.229.200)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Aug 2012 21:49:34 +0000
Received: from chandler.sharp.fm (localhost [127.0.0.1])
	by chandler.sharp.fm (Postfix) with ESMTP id 25AE15580D1
	for <dev@httpd.apache.org>; Thu,  2 Aug 2012 16:49:12 -0500 (CDT)
Received: from [192.168.1.4] (196-215-186-103.dynamic.isadsl.co.za
 [196.215.186.103])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(Client did not present a certificate)
	(Authenticated sender: minfrin@sharp.fm)
	by chandler.sharp.fm (Postfix) with ESMTP id E00D85580CF
	for <dev@httpd.apache.org>; Thu,  2 Aug 2012 16:49:09 -0500 (CDT)
From: Graham Leggett <minfrin@sharp.fm>
Content-Type: multipart/signed; boundary=Apple-Mail-37-564725781;
 protocol="application/pkcs7-signature"; micalg=sha1
Subject: RequireAll: seems to evaluate require lines unnecessarily
Date: Thu, 2 Aug 2012 23:49:05 +0200
Message-Id: <5D83261B-328B-4D3D-B06E-B1C639362C60@sharp.fm>
To: dev@httpd.apache.org
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
X-Virus-Scanned: ClamAV using ClamSMTP


--Apple-Mail-37-564725781
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Hi all,

I have a config like this using httpd v2.4, in an effort to password =
protect each person's userdir:

    <RequireAll>
      Require valid-user
      Require expr %{note:mod_userdir_user} =3D=3D %{REMOTE_USER}
    </RequireAll>

Hit it with a browser, and instead of 401 Unauthorized I'm getting 403 =
Forbidden instead, which prevents the basic authentication from kicking =
in and the user is denied.

The log however shows something odd - despite the RequireAll directive =
being used, which implies AND behaviour, which in turn implies that =
require lines should be parsed until the first one fails and then the =
parsing should stop, both require lines are being evaluated even though =
the first line failed, and the result of the second require line is =
being sent instead.

[Thu Aug 02 23:35:08.874887 2012] [authz_core:debug] [pid 19527:tid =
1100466496] mod_authz_core.c(783): [client 127.0.0.1:50635] AH01626: =
authorization result of Require valid-user : denied (no authenticated =
user yet)
[Thu Aug 02 23:35:08.875130 2012] [authz_core:debug] [pid 19527:tid =
1100466496] mod_authz_core.c(783): [client 127.0.0.1:50635] AH01626: =
authorization result of Require expr %{note:mod_userdir_user} =3D=3D =
%{REMOTE_USER}: denied
[Thu Aug 02 23:35:08.875153 2012] [authz_core:debug] [pid 19527:tid =
1100466496] mod_authz_core.c(783): [client 127.0.0.1:50635] AH01626: =
authorization result of <RequireAll>: denied

In theory, in the RequireAll situation, require directives should be =
parsed until one fails, and the result of that failure returned to the =
client. All further require lines should be ignored as is standard =
behaviour for AND implementations. In the example above, the =
"authorization result of Require valid-user : denied (no authenticated =
user yet)" part should prevent the "authorization result of Require expr =
%{note:mod_userdir_user} =3D=3D %{REMOTE_USER}: denied" part from being =
attempted at all.

Can someone check whether my thinking is correct?

Regards,
Graham
--


--Apple-Mail-37-564725781
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMRDCCBU4w
ggQ2oAMCAQICEFh4aE4AMxvXDqDMsrLTRhgwDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
azE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEg
KGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24g
Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzAeFw0xMjA2MTAwMDAwMDBaFw0x
MzA2MTAyMzU5NTlaMIIBETEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S
UEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh
bGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVsbCBTZXJ2
aWNlMRcwFQYDVQQDFA5HcmFoYW0gTGVnZ2V0dDEfMB0GCSqGSIb3DQEJARYQbWluZnJpbkBzaGFy
cC5mbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOfFKNXNAgdSNYJpArw4k7fFS4eb
oK+cC/N93pqE+Zk57DmG4GJTr/ApvW/QtQlP7Prx1mE433jIBxV6Zk981kgVD2DZtZWqtZSicPNr
Oyl5RGsrTJUgvg29x36ITeiBI0+JME4SOiwqoWkRh2VCe4ppCd/sjHMyYP587nGbuE8e7YXWpDcE
r+j5ycQBDF4Yhs9tTrV3927nE1FBOS+yKFyql4Jded/x+lHs5o6JDqYM1KRGec86O2YUIyZJhGuP
zJintlRPK9Tui4kjJPhmVTplkL9K7J5dFC5/ZYtsJMQENrCdkNiEcrVbFSlXmgbUAJxhnMtYmZnk
xj/0puhpwyUCAwEAAaOB0jCBzzAJBgNVHRMEAjAAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwEw
KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTALBgNVHQ8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9p
bmRjMWRpZ2l0YWxpZC1nMy1jcmwudmVyaXNpZ24uY29tL0luZEMxRGlnaXRhbElELUczLmNybDAN
BgkqhkiG9w0BAQUFAAOCAQEAzipzl6mxQzLx0EnMK4LcmwxNQy8GpxHps6WbWKsF7534aYZxiJ4z
JlU88ZlqzQXahxmNXbZ2+/ZYSXQuSdfBx06kOh/TkQff+iE3rMhE1edZ4DNx3lMvqtWWcN46a/vz
TiMuf3F+Oxw+qxX2VIx04H14pLoAeePwWQ+bjqicogB2WlkaZlOB7daCqnDizcfKdpeyOVOonWkE
o/PUp8RiRZr3WdC9vhfrVtvMvRQHpjiqRZBeP3DpnzkB43LUvF1p81n7W+CJt24nrJPuO4dwYXMg
rxUZ87YPmCgXBmdu5IOzSLV+z8hQboo+JtAO0c6uTv2ez2zuspKYzcmhBQN30DCCBu4wggXWoAMC
AQICEHEVZgVK5JEhTem8RPms09wwDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNVBAYTAlVTMRcwFQYD
VQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE6MDgG
A1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFF
MEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1
dGhvcml0eSAtIEczMB4XDTA5MDUwMTAwMDAwMFoXDTE5MDQzMDIzNTk1OVowgd0xCzAJBgNVBAYT
AlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0
d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9y
cGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNp
Z24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAO3ER98qKB18Bmu71yEyyWwTj+mxjUFONPfaC+Nq+mWIIAsRE+mb4ElO
i2/VAdBfDUeRilpMdD4/xpEJu0w0no1uoYJRYvdpdliWB6+eFBgHT1q9n9IxslQZc0ZqGUIR7BJz
IY313DDN5dlWCjHFNm0pFJe9LdqJRxmI2EsEPeu2PGcedAATDdCG2pNn+DMDrho8a2l49sAsjuGD
P3f5mf/+n1JawrSHCthsqUfBVCllQz5KwJYfwa33d69ssQRevsG2lC2XkC0n0rse6YNqhPbEsq4j
BmUmpSdYKwcitG+mYkgad/LVUCeaKdOW+yj1uiR2YuOMWev7btVCxL5Bx/UCAwEAAaOCArkwggK1
MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMBIG
A1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXATBWMCgGCCsGAQUFBwIB
FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsGAQUFBwICMB4aHGh0dHBzOi8vd3d3
LnZlcmlzaWduLmNvbS9ycGEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC52ZXJpc2lnbi5j
b20vcGNhMS1nMy5jcmwwDgYDVR0PAQH/BAQDAgEGMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYW
CWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9s
b2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAuBgNVHREEJzAlpCMwITEfMB0GA1UEAxMWUHJp
dmF0ZUxhYmVsNC0yMDQ4LTExODAdBgNVHQ4EFgQUeUdhCEH9OASiS+e1zPVD9kkrEfgwgfEGA1Ud
IwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8w
HQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFz
cyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzOCEQCLW3VWhFSF
CwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAA4IBAQA5Tc9BmYG1qQW1UjjpOYSJbOQ0qFrn2GwJTCQa
ulmkhztzIfGTgc+/aGNaZ/41hSuhw12jSsI6Gd0w1sxN7/HSgZfKVFpDvzeLeo4ZjQ9DqIzyr2Cz
FYqzlZw84J6zJ5ikNXIX5fwqXYfTig3C0UUq+MD0rCqTOtWuEnAI6/s74nfs6CtkNXbNutrg0csU
1nFYm77VPn222egkxSRmTF2RH3azFz5/DcYhiS+zN7ih/1yybUneZVJC+w6I0u1KHb9L4/jMcvpI
DmWOScjW+JmYO7eUPjFxBof6bFlTLtffK+1fYwCsFe0DuFUWjMZoA+ciqHMLsbyg2lJY3QoOf8GC
MYIEizCCBIcCAQEwgfIwgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEf
MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0
IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90
IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmli
ZXIgQ0EgLSBHMwIQWHhoTgAzG9cOoMyystNGGDAJBgUrDgMCGgUAoIICbTAYBgkqhkiG9w0BCQMx
CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMjA4MDIyMTQ5MDZaMCMGCSqGSIb3DQEJBDEW
BBQXFfoHedC849OF67Jvs6rM77/ZLjCCAQMGCSsGAQQBgjcQBDGB9TCB8jCB3TELMAkGA1UEBhMC
VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3
b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3Jw
YSAoYykwOTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5WZXJpU2ln
biBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQSAtIEczAhBYeGhOADMb1w6gzLKy00YY
MIIBBQYLKoZIhvcNAQkQAgsxgfWggfIwgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
biwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMg
b2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBl
cnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFs
IFN1YnNjcmliZXIgQ0EgLSBHMwIQWHhoTgAzG9cOoMyystNGGDANBgkqhkiG9w0BAQEFAASCAQDm
ymu76DwYpH6vh7IvnfF2slh0hUAK12rw8/WTkhFq3d/ZOUJr7SJchv5rICyQDJYDRi678ML7vWJ+
dzfXPNaOfBFtkx99TXjoPyvD7iS36md3vO+El/aSZsMjBi0Hn7AmkZnVGaD9XPuC1KJYKVJw8GGW
IP/g0ERT+fXtMsxZobJD0Jsx15KobyTTEfvK8qF5jdmhTM0iTm+k8dYs/F883KXoH5VRly+hg/qL
PAsCuRqVBpuJXe+tIDiUTAbH/rypRfZh5obIN/06jbNlRXVTfOIWxBIEjo/lTdZkZByea1dtEKGy
E/gycQPZL+aDG+afP8XDkTXlTEJu0rUcO6P9AAAAAAAA

--Apple-Mail-37-564725781--