'[Bug 60946] New: "Require not env" generates error'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-bugs
Subject:    [Bug 60946] New: "Require not env" generates error
From:       bugzilla () apache ! org
Date:       2017-03-31 0:51:35
Message-ID: bug-60946-7868 () https ! bz ! apache ! org/bugzilla/
[Download RAW message or body]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60946

            Bug ID: 60946
           Summary: "Require not env" generates error
           Product: Apache httpd-2
           Version: 2.4.25
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_host
          Assignee: bugs@httpd.apache.org
          Reporter: philipp@redfish-solutions.com
  Target Milestone: ---

If you can have an affirmative test like:

<Location />
    Require env is_good_request
</Location>

you should also be able to have:

<Location />
    Require not env is_bad_request
</Location>

but apparently this isn't allowed.  It results in the error:

Mar 28 14:04:49 mail httpd[2964]: AH00526: Syntax error on line 81 of
/etc/httpd/conf.d/mod_setenvif.conf:
Mar 28 14:04:49 mail httpd[2964]: negative Require directive has no effect in
<RequireAny> directive

which for many is a meaningless message.

Getting security right should be as painless and straightforward as possible. 
Unfortunately, that's not the case here.

I had to instead do:

<Location />
    <RequireAll>
        Require all granted
        Require not env is_bad_request
    </RequireAll>
</Location>

but this, again, is less than obvious.  So I ended up rewriting my
configuration as a positive assertion, but that too is awkward:

SetEnvIfExpr true is_good_request=1

BrowserMatch "^the beast$" !is_good_request
...

SetEnvIf GEOIP_COUNTRY_CODE CN !is_good_request
...

SetEnvIf GEOIP_ISP "OHV Hosting" !is_good_request
...

<Location />
    Require env is_good_request
</Location>

instead.  So no matter how you try to write it as a workaround, it's going to
have some warts.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic