AuthzProviderAlias only accepts the first Require-Parameter even if more were provided. A contrived example where this could be an issue is if a user had defined a list of blacklisted IPs, such as the following: <AuthzProviderAlias ip blacklisted-ips XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY> </AuthzProviderAlias> <Directory "/home/hwibell/2.4.x/built/htdocs/test"> <RequireAll> Require not blacklisted-ips Require all granted </RequireAll> </Directory> In the above example, clients with the IP XXX.XXX.XXX.XXX would be correctly denied access to anything in `/test` while clients from YYY.YYY.YYY.YYY would be able to access it when they shouldn't.
Created attachment 35971 [details] Proposed patch for trunk
Hmm, I think that the proposed patch would break configuration like: <AuthzProviderAlias ip blacklisted-ips "XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY"> </AuthzProviderAlias> Not sure if such configuration is used, but it would be a workaround to the issue you have spotted. Would it be enough to just explain in the doc that if several Require-Parameters are needed, they have to be put between some "? https://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#authzprovideralias Otherwise, your patch should be improved to remove the ", if and only if it is found at the start and at the end of the 'Require-Parameters' string.
@Christophe You are right: quoting the Require-Parameters works, and the patch would break such configurations. I think ditching the patch and adding a note to the doc makes sense. Thanks for catching that. :)
Message added in doc. Warning log message also added if such a case is detected at run-time. See r1834209.
Backported in r1834843. Will be part of 2.4.34. Thx Hank for the report.