Re: [mod_lua] Successful arbitrary authentication with denied access on the resource results in a core:error AH00571 message in the logs about a missing AuthType
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: Eric Covener <covener@xxxxxxxxx>
- Subject: Re: [mod_lua] Successful arbitrary authentication with denied access on the resource results in a core:error AH00571 message in the logs about a missing AuthType
- From: Torsten Krah <krah.tm@xxxxxxxxx>
- Date: Thu, 15 Mar 2018 15:50:19 +0100
- Cc: users@xxxxxxxxxxxxxxxx
- In-reply-to: <CALK=YjP_wDi+xrbn=XdatWzdeAJg5C_0Fc3PAMX6BMVrGtccDw@mail.gmail.com>
- Reply-to: users@xxxxxxxxxxxxxxxx
- Reply-to: Torsten Krah <krah.tm@xxxxxxxxx>
Am Donnerstag, den 15.03.2018, 10:44 -0400 schrieb Eric Covener:
> I think you should be setting it to a customized string or an existing
> one if you want a fallthrough behavior. Anything else seems
> undefined/dangerous.
lua docs does not tell that i should set AuthType anywhere searching for
it on:
https://httpd.apache.org/docs/trunk/mod/mod_lua.html
So is this a *must* have to set additionally? Shouldn't it be better
than if either httpd errors out if it finds one of those lua auth
handler directives without an AuthType? Or maybe just set one implicitly
to e.g. AuthType LUA when configuration is parsed?
And i am curious - why its dangerous? If it is dangerous - shouldn't the
docs have some note about this added?
Reading them i was under the impression - and because httpd does not
bail about it - that its not needed using the lua handlers.
kind regards
Torsten
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Index of Archives]
[Open SSH Users]
[Linux ACPI]
[Linux Kernel]
[Linux Laptop]
[Kernel Newbies]
[Security]
[Netfilter]
[Bugtraq]
[Squid]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Samba]
[Video 4 Linux]
[Device Mapper]
