Project

General

Profile

Actions

Bug #16552

closed

Webdav password is ignored and access is granted for all nodes in allowed networks

Added by Alexis Mousset almost 5 years ago. Updated about 4 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Reviewed
Fix check:
Checked
Regression:

Description

Since apache 2.4 and changes in Require semantic, the allowed network and authentication are now both valid, so being in the allowed networks skips auth checks.

We need to add something like:

<RequireAll>
<RequireAny>
Require ip 127.0.0.1
...
</RequireAny>
Require valid-user

Actions #1

Updated by Alexis Mousset almost 5 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #2

Updated by Vincent MEMBRÉ almost 5 years ago

  • Target version changed from 6.0.3 to 6.0.4
Actions #3

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 6.0.4 to 6.0.5
Actions #4

Updated by Alexis Mousset over 4 years ago

  • Status changed from In progress to Pending release
Actions #5

Updated by Alexis Mousset over 4 years ago

  • Fix check changed from To do to Checked
Actions #6

Updated by Alexis Mousset over 4 years ago

  • Name check changed from To do to Reviewed
Actions #7

Updated by Vincent MEMBRÉ over 4 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 6.0.5 which was released today.

Actions #8

Updated by Alexis Mousset over 4 years ago

  • Category changed from Techniques to Security
Actions #9

Updated by Vincent MEMBRÉ about 4 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF