Bug 56230

Summary: mod_access_compat can log a bogus client denied message
Product: Apache httpd-2 Reporter: Jon <nuxi>
Component: mod_access_compatAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.12   
Target Milestone: ---   
Hardware: PC   
OS: Mac OS X 10.4   
Attachments: patch

Description Jon 2014-03-07 00:00:46 UTC 
If a "Satisfy Any" directive is used with mod_access_compat, it will always log a client denied message based on the access directives ignoring the possibility that the client was permitted via the other authentication methods.

Looking at the code that was split from mod_authz_hosts into mod_access_compat, it seems that some of the checks to skip the log message in this case were lost in the move:

Old code:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/aaa/mod_authz_host.c?revision=667776&view=markup#l309

New code:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_access_compat.c?revision=1463056&view=markup#l348

I re-added the other two components of the if statement and the message went away.
Comment 1 Petr Gajdos 2015-06-02 08:07:38 UTC 
Are you planning to fix this issue?

I don't want to push, just to know if it is going to be on table in the near future.

As Jon suggests, following patch fixes the problem for me, but not sure if there are not some side effects.
Comment 2 Petr Gajdos 2015-06-02 08:11:01 UTC 
Created attachment 32778 [details]
patch
Comment 3 Jon 2015-06-02 15:05:30 UTC 
I've been using such a patch since shortly after filing this. Its been working for me.