>Number: 538 >Category: mod_access >Synopsis: mod_access syntax allows hosts that should be restricted >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sat May 3 16:40:02 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2b10 >Environment: Linux 1.2.29 (not relevant) >Description: allow id.wustl.edu applies not only to 'id.wustl.edu', but also to all 'host.id.wustl.edu'. A better syntax would be 'allow id.wustl.edu' for the host, and 'allow .id.wustl.edu' for the subdomain. This is also true for IP addresses, but of no consequence, since all IP addresses are the same length (4 pos). Note: The current behavior is consistent with the docs, but not optimal IMHO. >How-To-Repeat: Try 'allow apache.org'. This will also allow www.apache.org. 'allow .apache.org' allows the entire subdomain, but there is no way to allow only 'apache.org'. >Fix: mod_access 'else return (domain[0] == '.' || what[wl-dl-1] == '.');' to 'else return (domain[0] == '.' && what[wl-dl-1] == '.');' >Audit-Trail: >Unformatted:
