proxy70

2024-02-14 Oddµ bug maybe
==========================

I had a site where an entire subdirectory was private. Nobody but the
author could read or write those pages. I had configured Apache to
require authentication for this subdirectory.

The config looked a bit like this:

    <LocationMatch "^/(edit|save|add|append|upload|drop|view/secret)/">
      AuthType Basic
      AuthName "Password Required"
      AuthUserFile /home/oddmu/.htpasswd
      Require valid-user
    </LocationMatch>

Note the addition of view/secret.

But yesterday I realized that you can run a search in the root. Such a
search includes all the pages in subdirectories, and so Oddmu served
an extract of the pages in the "secret" subdirectory. Adding
|search/secret to the LocationMatch doesn't help.

I had to decide whether to disable search all together, or disable the
search of subdirectories, or add a new feature.

I added a new feature.

It is tied to an environment variable called ODDMU_FILTER. It matches
the directory being searched and the directory where the search
starts. If the directory doesn't match, the pages returned must also
not match; if the directory does match, the pages returned must also
match.

Here's an example of three pages:

* /a

* /public/b

* /secret/c

The environment variable is set: ODDMU_FILTER=^secret/ – what happens
now?

* If you search from the root (doesn't match the filter), then only
  pages a and b are searched (they also don't match the filter).

* If you search from /public (doesn't match the filter), then only
  page b is searched (also doesn't match the filter). This behaviour
  is unchanged from before. Searches start with the directory the user
  is looking at.

* If you search from /secret (matches the filter), then only page c is
  searched (also matches the filter). This, too, is unchanged from
  before.

Naturally, you still need to change to the web server config for the
actual authentication to happen:

    <LocationMatch "^/(edit|save|add|append|upload|drop|view/secret|search/secret)/">
      AuthType Basic
      AuthName "Password Required"
      AuthUserFile /home/oddmu/.htpasswd
      Require valid-user
    </LocationMatch>

I hope I got it right! It's also documented in the oddmu-apache(5)
man page.

#Oddµ