From acd4e3f2bfeb0e1c2ab0a89557d5d59a54f58103 Mon Sep 17 00:00:00 2001 From: Christophe Jaillet Date: Tue, 17 Apr 2018 19:47:05 +0000 Subject: [PATCH] Explain when the surrounding double quotes arround the expr argument MUST be avoided. (part of r1829390 in trunk) Remove trailing spaces to synch with trunk. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1829392 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_authz_core.xml | 31 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/docs/manual/mod/mod_authz_core.xml b/docs/manual/mod/mod_authz_core.xml index 1ce4cfcc82..76902205e7 100644 --- a/docs/manual/mod/mod_authz_core.xml +++ b/docs/manual/mod/mod_authz_core.xml @@ -74,12 +74,12 @@ Alias "/secure" "/webpages/secure" <Directory "/webpages/secure"> Require all granted - + AuthBasicProvider file - + AuthType Basic AuthName LDAP_Protected_Place - + #implied OR operation Require ldap-group-alias1 Require ldap-group-alias2 @@ -165,12 +165,12 @@ SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in with KnockKnock/2.0 will be allowed access, and all others will be denied.

-

When the server looks up a path via an internal - subrequest such as looking - for a DirectoryIndex +

When the server looks up a path via an internal + subrequest such as looking + for a DirectoryIndex or generating a directory listing with mod_autoindex, - per-request environment variables are not inherited in the - subrequest. Additionally, + per-request environment variables are not inherited in the + subrequest. Additionally, SetEnvIf directives are not separately evaluated in the subrequest due to the API phases mod_setenvif takes action in.

@@ -234,16 +234,17 @@ SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in <RequireAll> Require expr "!(%{QUERY_STRING} =~ /secret/)" - Require expr "%{REQUEST_URI} in { '/example.cgi', '/other.cgi' }" + Require expr "%{REQUEST_URI} in { '/example.cgi', '/other.cgi' }" </RequireAll> - Require expr "!(%{QUERY_STRING} =~ /secret/) && %{REQUEST_URI} in { '/example.cgi', '/other.cgi' }" + Require expr "!(%{QUERY_STRING} =~ /secret/) && %{REQUEST_URI} in { '/example.cgi', '/other.cgi' }"

The syntax is described in the ap_expr - documentation.

+ documentation. Before httpd 2.4.16, the surrounding double-quotes MUST be + omitted.

Normally, the expression is evaluated before authentication. However, if the expression returns false and references the variable @@ -380,13 +381,13 @@ Require group admin Security Warning

Exercise caution when setting authorization directives in Location sections - that overlap with content served out of the filesystem. + that overlap with content served out of the filesystem. By default, these configuration sections overwrite authorization configuration - in Directory, + in Directory, and Files sections.

-

The AuthMerging directive - can be used to control how authorization configuration sections are +

The AuthMerging directive + can be used to control how authorization configuration sections are merged.

-- 2.40.0