coar 01/09/28 11:36:24
Modified: htdocs/manual/mod mod_auth.html
Log:
Add note about null user/pw pairs in AuthUserFile
Revision Changes Path
1.27 +11 -3 httpd-docs-1.3/htdocs/manual/mod/mod_auth.html
Index: mod_auth.html
===================================================================
RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/mod/mod_auth.html,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -u -r1.26 -r1.27
--- mod_auth.html 2001/09/10 17:51:31 1.26
+++ mod_auth.html 2001/09/28 18:36:24 1.27
@@ -223,9 +223,17 @@
used instead.
<P>
-Security: make sure that the AuthUserFile is stored outside the
-document tree of the web-server; do <EM>not</EM> put it in the directory that
-it protects. Otherwise, clients will be able to download the AuthUserFile.<P>
+<dl>
+<dt><b>Security:</b></dt>
+<dd>Make sure that the AuthUserFile is stored outside the
+document tree of the web-server; do <em>not</em> put it in the directory that
+it protects. Otherwise, clients may be able to download the
AuthUserFile.</dd>
+<dd>Also be aware that null usernames are permitted, and null passwords
+as well (through Apache 1.3.20). If your AuthUserFile includes a
+line containing only a colon (':'), a '<code>Require valid-user</code>'
+will allow access if both the username and password in the credentials are
+omitted.</dd>
+</dl>
See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
