https://bz.apache.org/bugzilla/show_bug.cgi?id=60946
Bug ID: 60946
Summary: "Require not env" generates error
Product: Apache httpd-2
Version: 2.4.25
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_host
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
If you can have an affirmative test like:
<Location />
Require env is_good_request
</Location>
you should also be able to have:
<Location />
Require not env is_bad_request
</Location>
but apparently this isn't allowed. It results in the error:
Mar 28 14:04:49 mail httpd[2964]: AH00526: Syntax error on line 81 of
/etc/httpd/conf.d/mod_setenvif.conf:
Mar 28 14:04:49 mail httpd[2964]: negative Require directive has no effect in
<RequireAny> directive
which for many is a meaningless message.
Getting security right should be as painless and straightforward as possible.
Unfortunately, that's not the case here.
I had to instead do:
<Location />
<RequireAll>
Require all granted
Require not env is_bad_request
</RequireAll>
</Location>
but this, again, is less than obvious. So I ended up rewriting my
configuration as a positive assertion, but that too is awkward:
SetEnvIfExpr true is_good_request=1
BrowserMatch "^the beast$" !is_good_request
...
SetEnvIf GEOIP_COUNTRY_CODE CN !is_good_request
...
SetEnvIf GEOIP_ISP "OHV Hosting" !is_good_request
...
<Location />
Require env is_good_request
</Location>
instead. So no matter how you try to write it as a workaround, it's going to
have some warts.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
