Apache content protection with require rule and multiple patterns: Only first pattern works
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
Recently we had a few people report that rules in .htaccess files like
AuthType shibboleth ShibRequireSession on require uniqueID 1799853@ethz.ch 63436@ethz.ch or require homeOrganization switch.ch ethz.ch
don't work anymore as expected.
E.g. when one is using require homeOrganization "switch.ch" "ethz.ch" or require homeOrganization switch.ch ethz.ch
access is granted for users from switch.ch. However, neither require homeOrganization "ethz.ch" "switch.ch" nor require homeOrganization ethz.ch switch.ch did work for users from switch.ch.
Is it possible that such require rules with multiple patterns stopped working? As far as I remember these used to work perfectly with older versions of Shibboleth.
BTW, my assessment is that the bug couldn't result in broader access than intended, so I'm not treating it as a security issue. If you can think of something I'm not seeing, let me know.
Scott Cantor August 12, 2009 at 10:23 AM
Bug has been there ever since the decision to keep supporting "require all", which Apache doesn't actually support. Toggling that off probably works around the bug.
Scott Cantor August 12, 2009 at 10:06 AM
Confirmed, not working for me. Will fix for 2.2.1.
Recently we had a few people report that rules in .htaccess files like
AuthType shibboleth
ShibRequireSession on
require uniqueID 1799853@ethz.ch 63436@ethz.ch
or
require homeOrganization switch.ch ethz.ch
don't work anymore as expected.
E.g. when one is using
require homeOrganization "switch.ch" "ethz.ch"
or
require homeOrganization switch.ch ethz.ch
access is granted for users from switch.ch. However, neither
require homeOrganization "ethz.ch" "switch.ch"
nor
require homeOrganization ethz.ch switch.ch
did work for users from switch.ch.
Is it possible that such require rules with multiple patterns stopped working? As far as I remember these used to work perfectly with older versions of Shibboleth.
It seems that only the first pattern is obeyed in the require rules. I couldn't find anything on https://spaces.internet2.edu/display/SHIB2/NativeSPProtectContent or elsewhere on the Wiki.
Any idea? Have we missed something