Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-1784

Allow/Deny/Order/Satisfy directives silently dropped on Apache 2.4

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • None
    • None
    • apache, supported

    Description

      When I was working on MODULES-1622 I noticed the behaviour of Allow/Deny directives is behaving potentially dangerously.
      Consider the following manifest:

      class { 'apache': }
      apache::vhost { 'example.org':
        docroot     => '/var/www/html',
        directories => {
          path        => '/var/www/html/secret',
          allow       => 'from 127.0.0.1',
          deny        => 'from all',
        },
      }
      

      On a OS which uses Apache 2.2 this works correctly like you'd expect.
      However on a OS which uses Apache 2.4 the allow and deny is silently dropped, which results in this actual configuration:

        <Directory "/var/www/html/secret">
          AllowOverride None
          Require all granted
        </Directory>
      

      In my opinion if you are using Apache 2.4 and are setting those deprecated parameters the manifest should flat out fail - or at the very least warn you.
      Dropping those parameters and defaulting to `Require all granted` is dangerous.

      This also affects the Order and Satisfy directives in the same way.

      Attachments

        Issue Links

          Activity

            People

              faker Roman Mueller
              faker Roman Mueller
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support