>Number: 772 >Category: mod_auth-any >Synopsis: Satisfy ignores <Limit> context >Confidential: no >Severity: critical >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Jun 23 10:30:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.0 >Environment: SunOS saturn 4.1.4 1 sun4 GCC 2.7.2 >Description: If the Satisfy directive is included in non-overlapping <Limit> directives in an .htaccess file, only the last is in effect. This affects configurations where one <Limit> allows 'Satisfy Any' to one protocol, and 'Satisfy All' to another protocol.
Makes it impossible for me to set authoring (PUT protocol) limits on the directory, and different readership (GET protocol) limits for public. >How-To-Repeat: Produce this problem as follows: Create a directory and add the following .htaccess file: AuthType Basic AuthName authenticated access AuthUserFile /usr/local/httpd/conf/passwd AuthGroupFile /usr/local/httpd/conf/group <Limit GET> Satisfy Any order deny,allow deny from all allow from all require group users </Limit> <Limit POST> Satisfy All order deny,allow deny from all allow from all require group foobar </Limit> Now attempt to access the URL corresponding to the directory created above. You will be thrown a 401 code. Remove the 'Satisfy' directive and you will not. >Fix: Not at this time >Audit-Trail: >Unformatted:
