httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50378] New: examples on <Location /> might trick people into wrong feeling of security
Date Tue, 30 Nov 2010 00:58:29 GMT

           Summary: examples on <Location /> might trick people into wrong
                    feeling of security
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Documentation


Marked this as major, as it might (IMHO) trick people or their understanding on
how to secure a server.

In several place, e.g.: ("What to use When"
and maybe others
you describe that using <Location /> is perfectly secure (to do access control)
as it applies to all requests.

Depending on how merging works (see my other issue #50377) this is NOT totally
true, as the following example proves:
<Location />
    Order allow,deny
    Deny from all
<LocationMatch /server-status>
    SetHandler server-status
    Order allow,deny
    Allow from ::1

>From the <Location /> one might think "this applies to everything thus all
access to the server is forbidden"... however due to the 2nd section this is
actually not true.


Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message