On Sat, Aug 3, 2013 at 11:34 AM, Mikhail T. <mi+t...@aldan.algebra.com> wrote: > Point is, it is erring. I asked Ben for possible use-cases and his two > examples were modules, which use the authorization rules to generate > different content depending on the result. Rather than to decide, whether to > authorize the request at all.
I think you're jumping to massive conclusions about my ability to answer questions. While I've been an httpd user for a relatively long time I've only had httpd commit access for all of a week. I wasn't involved in writing the auth code that exists and I may not have provided you the best examples. Just because I haven't provided better examples doesn't mean they exist. I gave you the examples that came to mind. First and foremost the primary concern of security code is always correctly implementing the security model, not running as fast as possible. If you can make it run faster without breaking the model, then I'm sure your patch would be accepted. For what it's worth I can't replicate your issue. I tried replicating just the duplicate authz check against the directory and then against the DirectoryIndex. I end up getting exactly one authz process: [Sat Aug 03 11:48:43.170081 2013] [authz_core:debug] [pid 48038:tid 4316540928] mod_authz_core.c(845): [client 127.0.0.1:63874] AH01626: authorization result of Require all granted: granted [Sat Aug 03 11:48:43.170096 2013] [authz_core:debug] [pid 48038:tid 4316540928] mod_authz_core.c(845): [client 127.0.0.1:63874] AH01626: authorization result of <RequireAny>: granted [Sat Aug 03 11:48:43.170102 2013] [core:trace3] [pid 48038:tid 4316540928] request.c(238): [client 127.0.0.1:63874] request authorized without authentication by access_checker_ex hook: / Can you produce a minimal example configuration that reproduces the issue. Let's avoid the PHP scripts for now. > The situation would've made some sense, if I could configure things > separately. For example: > > # Lock-out attempts to invoke php-fpm directly: > <Location /php-fpm> > Require none granted > </Location> > > # Allow any PHP script under DocumentRoot to be executed otherwise: > <LocationMatch \.php$> > Require all granted > </LocationMatch> > > But I can't -- all requests for foo.php would go through both of the > above... Have you actually tried this? Because it does work. The only problem you'll run into is that the main request for the /php-fpm/ URI will fail before the DirectoryIndex applies. For instance I have something that looks like this: <Directory /> Require all denied </Directory> <Directory "/Users/breser/httpd-2.4.6-root/htdocs"> DirectoryIndex index.html Require all granted </Directory> <Location /> Require all denied </Location> <LocationMatch \.html$> Require all granted </LocationMatch> I can hit /index.html but not index.txt. I can't get / and the directory index doesn't work, but I can easily fix that by doing changing my LocationMatch to: (^/$)|(\.html$) If I change DirectoryIndex to index.txt it'll break because I've disallowed that. Note that you've actually just shown an example of why sub-requests should check security. Side note: It'd be Require all denied to block all access.
