[Bug 62469] New: AuthzProviderAlias ignoring all Require-Parameters except first one

bugzilla Mon, 18 Jun 2018 08:00:18 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=62469


            Bug ID: 62469
           Summary: AuthzProviderAlias ignoring all Require-Parameters
                    except first one
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_core
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

AuthzProviderAlias only accepts the first Require-Parameter even if more were
provided.

A contrived example where this could be an issue is if a user had defined a
list of blacklisted IPs, such as the following:

<AuthzProviderAlias ip blacklisted-ips XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY>
</AuthzProviderAlias>

<Directory "/home/hwibell/2.4.x/built/htdocs/test">
 <RequireAll>
   Require not blacklisted-ips
   Require all granted
 </RequireAll>
</Directory>

In the above example, clients with the IP XXX.XXX.XXX.XXX would be correctly 
denied access to anything in `/test` while clients from YYY.YYY.YYY.YYY would
be able to access it when they shouldn't.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 62469] New: AuthzProviderAlias ignoring all Require-Parameters except first one

Reply via email to