https://issues.apache.org/bugzilla/show_bug.cgi?id=47019
Summary: LimitExcept inside LocationMatch wipes all other
access controls
Product: Apache httpd-1.3
Version: 1.3.41
Platform: Other
OS/Version: FreeBSD
Status: NEW
Severity: major
Priority: P2
Component: core
AssignedTo: bugs@httpd.apache.org
ReportedBy: d...@jetcafe.org
Consider the following configuration:
<LocationMatch ".">
<LimitExcept GET POST>
Order deny,allow
Deny from all
</LimitExcept>
</LocationMatch>
Using the above configuration renders all other mod_access host/IP control
statements silently inoperative (i.e. Order/Deny/Allow).
My test case was a stock Apache 1.3.41 with the following configure target:
./configure --with-layout=Apache --prefix=/some/prefix --enable-shared=max \
--enable-module=most
Besides two production sites this was discovered on, I tested the simple case
above with a directory section like so (modulo the directory name which can be
anything):
<Directory /foo>
Order deny,allow
Allow from 127.0.0.1
Deny from all
</Directory>
then we start apache normally as a non-root user:
apache/bin/apachectl start
put a simple foo.html file in /foo, then:
lynx -dump http://my.host.name:8080/alias/to/foo
tests the IP based access from the host name and
lynx -dump http://127.0.0.1:8080/alias/to/foo
tests the localhost access.
I can provide more information on request. I believe the LocationMatch
directive to be correctly constructed, and such a block should not silently
remove all your other access controls.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
