Description
When I was working on MODULES-1622 I noticed the behaviour of Allow/Deny directives is behaving potentially dangerously.
Consider the following manifest:
class { 'apache': }
|
apache::vhost { 'example.org':
|
docroot => '/var/www/html',
|
directories => {
|
path => '/var/www/html/secret',
|
allow => 'from 127.0.0.1',
|
deny => 'from all',
|
},
|
}
|
On a OS which uses Apache 2.2 this works correctly like you'd expect.
However on a OS which uses Apache 2.4 the allow and deny is silently dropped, which results in this actual configuration:
<Directory "/var/www/html/secret">
|
AllowOverride None
|
Require all granted
|
</Directory>
|
In my opinion if you are using Apache 2.4 and are setting those deprecated parameters the manifest should flat out fail - or at the very least warn you.
Dropping those parameters and defaulting to `Require all granted` is dangerous.
This also affects the Order and Satisfy directives in the same way.
Attachments
Issue Links
- relates to
-
MODULES-10934 puppetlabs-apache : directory 'all granted' needs to be configurable.
-
- Accepted
-
-
MODULES-1622 Allow multiple Deny directives in a directory
-
- Resolved
-