Bug 9076 - 'satisfy any' without AuthType set causes 500
Summary: 'satisfy any' without AuthType set causes 500
Alias: None
Product: Apache httpd-1.3
Classification: Unclassified
Component: Auth/Access (show other bugs)
Version: HEAD
Hardware: Other All
: P3 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2002-05-14 17:15 UTC by Michael King
Modified: 2004-11-16 19:05 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Michael King 2002-05-14 17:15:28 UTC
Server Version: Apache/1.3.24 (Unix)
Server Built: May 1 2002 10:07:09
API Version: 19990320:11
Run Mode: standalone

From the httpd.conf:
  <IfModule mod_info.c>
  <Location /server-info>
      SetHandler server-info
      Order deny,allow
      Deny from all
      Allow from 127 10 192.168
      Satisfy any

This is a LOCATION directive, which processes after the .htaccess directives 
have occurred. For my docroot directory, I've got an "AllowOverride All" in 
place. However, in that root directory, I do *not* have an .htaccess file.

I get a Server Error 500, and it generates an access_log entry, but no 
error_log entry.

10.X.X.X - - [14/May/2002:11:40:20 -0500] "GET /server-info HTTP/1.1" 500

If I remove the "Satisfy any" clause, operation is normal. The issue is that
I don't know in advance if the user will put a .htaccess file in place
to pre-determine if I need to put a "Satisfy any" clause in the LOCATION blocks.

I don't know if "Satisfy any" requires an .htaccess file and a "Require" clause 
in it before it will work.

I think the behaviour should be that "Satisfy any" doesn't care if there is 
a .htaccess file or not (implies no condition, but not satisfied). Using 
a "Satisfy any" should always allow access if not specified by either 
.htaccess or "Allow from"

Comment 1 Psychopath 2002-08-17 17:23:20 UTC
Same behaviour with 1.3.26 on Windows 2000 Professional. (even with simpler test-case, i.e. 
normal directory, only "Satisfy")
I wonder whether this should be split into two bugs:
- one 
documentation bug to make it clearer that access restrition by client host address AND 
username/password ist _required_ if you want to use "Satisfy". (It only states "is only 
- one bug, because Apache should log something like this in its error log.
Comment 2 André Malo 2003-01-28 16:07:48 UTC
Well, it's a broken logic in "satisfy any" handling. Bug is fixed in 2.1.0-dev
and proposed for backport.

Thanks for using Apache!
Comment 3 André Malo 2003-01-31 02:28:59 UTC
It's fixed now and will be available in the next release (1.3.28).