I've never been able to figure this out either. What the heck is
"Order Mutual-failure" supposed to do?
From: [EMAIL PROTECTED] (ljb)
Newsgroups: comp.infosystems.www.servers.unix
Subject: Apache "Order Allow,Deny" vs "Order Mutual-failure"?
Date: 26 Sep 2000 01:15:32 GMT
Organization: MindSpring Enterprises
Lines: 26
Message-ID: <[EMAIL PROTECTED]>
NNTP-Posting-Host: 04.36.29.10
X-no-archive: yes
User-Agent: slrn/0.9.5.4 (UNIX)
After reading the Apache documentation (and the O'Reilly book, and another
book on security) I was still really confused about the 3 choices for
"Order" in Allow /Deny access rules. So I looked at the source, and now it
seems to me the documentation is wrong, and "Order Allow,Deny" is exactly
the same as "Order Mutual-failure". Look at this summary of the code in
mod_access.c (Apache 1.3.12) check_dir_access(), and tell me if I'm wrong.
if (a->order[method] == ALLOW_THEN_DENY) {
ret = FORBIDDEN;
if (find_allowdeny(r, a->allows, method)) ret = OK;
if (find_allowdeny(r, a->denys, method)) ret = FORBIDDEN;
}
...
else /* (a->order[method] == MUTUAL_FAILURE) */ {
if (find_allowdeny(r, a->allows, method)
&& !find_allowdeny(r, a->denys, method))
ret = OK;
else
ret = FORBIDDEN;
}
To me, both cases above (ALLOW_THEN_DENY and MUTUAL_FAILURE) result
in the exact same value of "ret" for any set of returns from
find_allowdeny(). Am I wrong? Can someone show me a case where
"Order Allow,Deny" differs from "Order Mutual-failure"?
