httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 50378] New: examples on <Location /> might trick people into wrong feeling of security
Date Tue, 30 Nov 2010 00:58:29 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=50378

           Summary: examples on <Location /> might trick people into wrong
                    feeling of security
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Documentation
        AssignedTo: docs@httpd.apache.org
        ReportedBy: calestyo@scientia.net


Hi.

Marked this as major, as it might (IMHO) trick people or their understanding on
how to secure a server.

In several place, e.g.:
http://httpd.apache.org/docs/2.2/mod/core.html#location
http://httpd.apache.org/docs/2.2/sections.html#file-and-web ("What to use When"
section)
and maybe others
you describe that using <Location /> is perfectly secure (to do access control)
as it applies to all requests.

Depending on how merging works (see my other issue #50377) this is NOT totally
true, as the following example proves:
<Location />
    Order allow,deny
    Deny from all
</Location>
<LocationMatch /server-status>
    SetHandler server-status
    Order allow,deny
    Allow from 127.0.0.1 ::1
</LocationMatch>

>From the <Location /> one might think "this applies to everything thus all
access to the server is forbidden"... however due to the 2nd section this is
actually not true.


Cheers,
Chris.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message