httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] [mod_lua] Successful arbitrary authentication with denied access on the resource results in a core:error AH00571 message in the logs about a missing AuthType
Date Thu, 15 Mar 2018 14:55:16 GMT
On Thu, Mar 15, 2018 at 10:50 AM, Torsten Krah <krah.tm@gmail.com> wrote:
> Am Donnerstag, den 15.03.2018, 10:44 -0400 schrieb Eric Covener:
>> I think you should be setting it to a customized string or an existing
>> one if you want a fallthrough behavior.  Anything else seems
>> undefined/dangerous.
>
> lua docs does not tell that i should set AuthType anywhere searching for
> it on:
>
> https://httpd.apache.org/docs/trunk/mod/mod_lua.html
>
> So is this a *must* have to set additionally? Shouldn't it be better
> than if either httpd errors out if it finds one of those lua auth
> handler directives without an AuthType? Or maybe just set one implicitly
> to e.g. AuthType LUA when configuration is parsed?

Lots of things could be better. To me it is clear that the overall
system expects an AuthType to be set if you will be doing authn and
authz.

The error message is one indication of that

IIUC, a normal authentication provider would check the configured
authtype. So it would not be ideal for Lua to programatically
configure it just because the hook has been implemented by a script.

> And i am curious - why its dangerous? If it is dangerous - shouldn't the
> docs have some note about this added?
> Reading them i was under the impression - and because httpd does not
> bail about it - that its not needed using the lua handlers.

To me It's dangerous because to me it looks like
unintended/undesigned/undefined config/behavior in the area of access
control and that error message is the hint.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message