httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From c...@apache.org
Subject cvs commit: httpd-docs-1.3/htdocs/manual/mod mod_auth.html
Date Fri, 28 Sep 2001 18:36:24 GMT
coar        01/09/28 11:36:24

  Modified:    htdocs/manual/mod mod_auth.html
  Log:
  Add note about null user/pw pairs in AuthUserFile
  
  Revision  Changes    Path
  1.27      +11 -3     httpd-docs-1.3/htdocs/manual/mod/mod_auth.html
  
  Index: mod_auth.html
  ===================================================================
  RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/mod/mod_auth.html,v
  retrieving revision 1.26
  retrieving revision 1.27
  diff -u -u -r1.26 -r1.27
  --- mod_auth.html	2001/09/10 17:51:31	1.26
  +++ mod_auth.html	2001/09/28 18:36:24	1.27
  @@ -223,9 +223,17 @@
   used instead.
   <P>
   
  -Security: make sure that the AuthUserFile is stored outside the
  -document tree of the web-server; do <EM>not</EM> put it in the directory that
  -it protects. Otherwise, clients will be able to download the AuthUserFile.<P>
  +<dl>
  +<dt><b>Security:</b></dt>
  +<dd>Make sure that the AuthUserFile is stored outside the
  +document tree of the web-server; do <em>not</em> put it in the directory that
  +it protects. Otherwise, clients may be able to download the AuthUserFile.</dd>
  +<dd>Also be aware that null usernames are permitted, and null passwords
  +as well (through Apache 1.3.20).  If your AuthUserFile includes a
  +line containing only a colon (':'), a '<code>Require valid-user</code>'
  +will allow access if both the username and password in the credentials are
  +omitted.</dd>
  +</dl>
   
   See also <A HREF="core.html#authname">AuthName</A>,
   <A HREF="core.html#authtype">AuthType</A> and
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: apache-docs-unsubscribe@apache.org
For additional commands, e-mail: apache-docs-help@apache.org


Mime
View raw message