www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Lindberg <lindb...@id.wustl.edu>
Subject mod_access/538: mod_access syntax allows hosts that should be restricted
Date Sat, 03 May 1997 23:40:03 GMT

>Number:         538
>Category:       mod_access
>Synopsis:       mod_access syntax allows hosts that should be restricted
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sat May  3 16:40:02 1997
>Originator:     lindberg@id.wustl.edu
>Organization:
apache
>Release:        1.2b10
>Environment:
Linux 1.2.29 (not relevant)
>Description:
allow id.wustl.edu applies not only to 'id.wustl.edu', but also to all
'host.id.wustl.edu'. A better syntax would be 'allow id.wustl.edu' for
the host, and 'allow .id.wustl.edu' for the subdomain. This is also
true for IP addresses, but of no consequence, since all IP addresses
are the same length (4 pos).
Note: The current behavior is consistent with the docs, but not
optimal IMHO.
>How-To-Repeat:
Try 'allow apache.org'. This will also allow www.apache.org. 'allow
.apache.org' allows the entire subdomain, but there is no way to allow
only 'apache.org'.
>Fix:
mod_access 'else return (domain[0] == '.' || what[wl-dl-1] == '.');' to
'else return (domain[0] == '.' && what[wl-dl-1] == '.');'
>Audit-Trail:
>Unformatted:



Mime
View raw message