Summary: | HTTP 403 instead of HTTP 401 in RequireAll | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | goldendev |
Component: | mod_authz_core | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | NEW --- | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 2.4.41 | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux |
Description
goldendev
2019-10-03 02:35:50 UTC
I bet it should have been (line 772): ```c if (child_result == AUTHZ_DENIED || child_result == AUTHZ_DENIED_NO_USER) { ``` Instead of: ```c if (child_result == AUTHZ_DENIED) { ``` Hi, untested, but does: <RequireAll> Require valid-user <RequireAny> Require not valid-user Require env SMTH </RequireAny> </RequireAll> would do what you are looking for ? (In reply to Christophe JAILLET from comment #2) > Hi, untested, but does: > > <RequireAll> > Require valid-user > <RequireAny> > Require not valid-user > Require env SMTH > </RequireAny> > </RequireAll> > > would do what you are looking for ? Unfortunately no. I've got syntax error on httpd -t: "Require directive has no effect in <RequireAny> directive." It seems that "Require not" must always be enclosed in RequireAll. *I meant: "[Negative] Require directive has no effect in <RequireAny> directive." |