as reported in comments section of the manual anonymously, it looks like the lua-specific hash used to store the parameters gets mixed up if you define 1 provider but use it with multiple require arguments. original: http://httpd.apache.org/docs/trunk/mod/mod_lua.html#comment_3245
Reactivated ancient apache bugzilla account to record as originator of comment on modlua documentation page.
Created attachment 32219 [details] Allow multiple LuaAuthzProvider directives with the same provider name but different args
Forgot to attach comment to patch. Above patch should fix the issue. The operative part is that it separates the provider from the arguments that are passed to it. As a sidenote, the typenames lua_authz_provider_spec and lua_authz_provider_func should probably be switched. I skipped that in the interest of a smaller diff, but whoever reviews/commits should probably look at naming those better.
Thanks, waiting to see if a CVE should be assigned.
CVE-2014-8109, waiting for next 2.4.x release
Backported to 2.4.11 in r1642861.