Apache content protection with require rule and multiple patterns: Only first pattern works

Description

Recently we had a few people report that rules in .htaccess files like

AuthType shibboleth
ShibRequireSession on
require uniqueID 1799853@ethz.ch 63436@ethz.ch
or
require homeOrganization switch.ch ethz.ch

don't work anymore as expected.

E.g. when one is using
require homeOrganization "switch.ch" "ethz.ch"
or
require homeOrganization switch.ch ethz.ch

access is granted for users from switch.ch. However, neither
require homeOrganization "ethz.ch" "switch.ch"
nor
require homeOrganization ethz.ch switch.ch
did work for users from switch.ch.

Is it possible that such require rules with multiple patterns stopped working? As far as I remember these used to work perfectly with older versions of Shibboleth.

It seems that only the first pattern is obeyed in the require rules. I couldn't find anything on https://spaces.internet2.edu/display/SHIB2/NativeSPProtectContent or elsewhere on the Wiki.

Any idea? Have we missed something slightly smiling face

Environment

None

Activity

Lukas Hämmerle August 12, 2009 at 10:50 AM
Edited

Great, thanks slightly smiling face

No, actually the opposite may have happened > less people get access due to the bug :)

Scott Cantor August 12, 2009 at 10:39 AM

http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=3092

Good timing, I'm freezing today.

BTW, my assessment is that the bug couldn't result in broader access than intended, so I'm not treating it as a security issue. If you can think of something I'm not seeing, let me know.

Scott Cantor August 12, 2009 at 10:23 AM

Bug has been there ever since the decision to keep supporting "require all", which Apache doesn't actually support. Toggling that off probably works around the bug.

Scott Cantor August 12, 2009 at 10:06 AM

Confirmed, not working for me. Will fix for 2.2.1.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created August 12, 2009 at 9:55 AM
Updated June 24, 2021 at 3:04 PM
Resolved August 12, 2009 at 10:39 AM