httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torsten Krah <krah...@gmail.com>
Subject Re: [users@httpd] [mod_lua] Successful arbitrary authentication with denied access on the resource results in a core:error AH00571 message in the logs about a missing AuthType
Date Thu, 15 Mar 2018 14:50:19 GMT
Am Donnerstag, den 15.03.2018, 10:44 -0400 schrieb Eric Covener:
> I think you should be setting it to a customized string or an existing
> one if you want a fallthrough behavior.  Anything else seems
> undefined/dangerous.

lua docs does not tell that i should set AuthType anywhere searching for
it on:

https://httpd.apache.org/docs/trunk/mod/mod_lua.html

So is this a *must* have to set additionally? Shouldn't it be better
than if either httpd errors out if it finds one of those lua auth
handler directives without an AuthType? Or maybe just set one implicitly
to e.g. AuthType LUA when configuration is parsed?

And i am curious - why its dangerous? If it is dangerous - shouldn't the
docs have some note about this added?
Reading them i was under the impression - and because httpd does not
bail about it - that its not needed using the lua handlers.

kind regards

Torsten

Mime
View raw message