[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-bugs
Subject: [Bug 60946] New: "Require not env" generates error
From: bugzilla () apache ! org
Date: 2017-03-31 0:51:35
Message-ID: bug-60946-7868 () https ! bz ! apache ! org/bugzilla/
[Download RAW message or body]
https://bz.apache.org/bugzilla/show_bug.cgi?id=60946
Bug ID: 60946
Summary: "Require not env" generates error
Product: Apache httpd-2
Version: 2.4.25
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_host
Assignee: bugs@httpd.apache.org
Reporter: philipp@redfish-solutions.com
Target Milestone: ---
If you can have an affirmative test like:
<Location />
Require env is_good_request
</Location>
you should also be able to have:
<Location />
Require not env is_bad_request
</Location>
but apparently this isn't allowed. It results in the error:
Mar 28 14:04:49 mail httpd[2964]: AH00526: Syntax error on line 81 of
/etc/httpd/conf.d/mod_setenvif.conf:
Mar 28 14:04:49 mail httpd[2964]: negative Require directive has no effect in
<RequireAny> directive
which for many is a meaningless message.
Getting security right should be as painless and straightforward as possible.
Unfortunately, that's not the case here.
I had to instead do:
<Location />
<RequireAll>
Require all granted
Require not env is_bad_request
</RequireAll>
</Location>
but this, again, is less than obvious. So I ended up rewriting my
configuration as a positive assertion, but that too is awkward:
SetEnvIfExpr true is_good_request=1
BrowserMatch "^the beast$" !is_good_request
...
SetEnvIf GEOIP_COUNTRY_CODE CN !is_good_request
...
SetEnvIf GEOIP_ISP "OHV Hosting" !is_good_request
...
<Location />
Require env is_good_request
</Location>
instead. So no matter how you try to write it as a workaround, it's going to
have some warts.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic