www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Sparks <aspa...@harris.com>
Subject mod_auth-any/772: Satisfy ignores <Limit> context
Date Mon, 23 Jun 1997 17:30:02 GMT

>Number:         772
>Category:       mod_auth-any
>Synopsis:       Satisfy ignores <Limit> context
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Jun 23 10:30:01 1997
>Originator:     asparks@harris.com
>Organization:
apache
>Release:        1.2.0
>Environment:
SunOS saturn 4.1.4 1 sun4
GCC 2.7.2
>Description:
If the Satisfy directive is included in non-overlapping <Limit> directives
in an .htaccess file, only the last is in effect.  This affects configurations
where one <Limit> allows 'Satisfy Any' to one protocol, and 'Satisfy All' to
another protocol.

Makes it impossible for me to set authoring (PUT protocol) limits on the directory,
and different readership (GET protocol) limits for public.
>How-To-Repeat:
Produce this problem as follows:

Create a directory and add the following .htaccess file:
AuthType Basic
AuthName authenticated access
AuthUserFile /usr/local/httpd/conf/passwd
AuthGroupFile /usr/local/httpd/conf/group
<Limit GET>
  Satisfy Any
  order deny,allow
  deny from all
  allow from all
  require group users
</Limit>
<Limit POST>
  Satisfy All
  order deny,allow
  deny from all
  allow from all
  require group foobar
</Limit>

Now attempt to access the URL corresponding to the directory created above.
You will be thrown a 401 code.  Remove the 'Satisfy' directive and you will not.
>Fix:
Not at this time
>Audit-Trail:
>Unformatted:



Mime
View raw message