Received: (qmail 26407 invoked by uid 2012); 14 Aug 1998 11:03:29 -0000 Message-Id: <19980814110329.26406.qmail@hyperreal.org> Date: 14 Aug 1998 11:03:29 -0000 From: Hans Werner Strube Reply-To: strube@physik3.gwdg.de To: apbugs@hyperreal.org Subject: Are "order allow,deny" and "order mutual-failure" identical? X-Send-Pr-Version: 3.2 >Number: 2851 >Category: mod_access >Synopsis: Are "order allow,deny" and "order mutual-failure" identical? >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Class: mistaken >Submitter-Id: apache >Arrival-Date: Fri Aug 14 04:10:01 PDT 1998 >Last-Modified: Fri Aug 14 07:00:00 PDT 1998 >Originator: strube@physik3.gwdg.de >Organization: >Release: 1.3.1 >Environment: Solaris 2.5.[1] SPARC, gcc 2.7.2.1 >Description: From their description, I understand that "order allow,deny" and "order mutual-failure" are actually identical. In both cases, access is permitted if and only if the address occurs in the access list but not in the deny list. This should be clarified in the documentation. If I am right, the separate treatment in the program code is redundant. >How-To-Repeat: >Fix: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: lars State-Changed-When: Fri Aug 14 05:06:35 PDT 1998 State-Changed-Why: No, "order allow,deny" and "order mutual-failure" are not identical. If you use allow,deny access is granted if the address is listed in the allow line, if it is also on the deny line is irrelevant. With mutual-failure such an access would be blocked. Class-Changed-From-To: doc-bug-mistaken Class-Changed-By: lars Class-Changed-When: Fri Aug 14 05:06:35 PDT 1998 From: strube@physik3.gwdg.de To: apbugs@apache.org Cc: Subject: Re: mod_access/2851: Are "order allow,deny" and "order mutual-failure" identical? Date: Fri, 14 Aug 1998 15:54:03 +0200 I do not agree with this, based both on logic and on the program code: > No, "order allow,deny" and "order mutual-failure" are > not identical. If you use allow,deny access is granted > if the address is listed in the allow line, if it is > also on the deny line is irrelevant. This would imply that under "order allow,deny", the deny list is entirely irrelevant, since the initial state is FORBIDDEN. However, the code favors my first interpretation: if (a->order[method] == ALLOW_THEN_DENY) { ret = FORBIDDEN; if (find_allowdeny(r, a->allows, method)) ret = OK; if (find_allowdeny(r, a->denys, method)) ret = FORBIDDEN; } Initially: FORBIDDEN; if found in a->allows: OK; if then found in a->denys, FORBIDDEN again. So where is my misunderstanding? Hans Werner Strube strube@physik3.gwdg.de Drittes Physikalisches Institut, Univ. Goettingen Buergerstr. 42-44, D-37073 Goettingen, Germany >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]