From 53133772ac0baaf835eb73451f58d17632bfb19f Mon Sep 17 00:00:00 2001 From: Joshua Slive Date: Sun, 20 Aug 2006 19:46:24 +0000 Subject: [PATCH] My last effort was a little too succinct and not quite precise enough. Try being more explicit. This does leave the danger that people will clip the example as the proper way to do things, when they should be reading on to the example. The example is only correct when used in conjunction with Alias. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@433021 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_alias.html.en | 22 +++++++++++++++++----- docs/manual/mod/mod_alias.xml | 22 +++++++++++++++++----- 2 files changed, 34 insertions(+), 10 deletions(-) diff --git a/docs/manual/mod/mod_alias.html.en b/docs/manual/mod/mod_alias.html.en index 948881a474c..099c8950594 100644 --- a/docs/manual/mod/mod_alias.html.en +++ b/docs/manual/mod/mod_alias.html.en @@ -366,15 +366,15 @@ target as a CGI script is essentially equivalent to:

Alias /cgi-bin/ /web/cgi-bin/
- <Directory /web/cgi-bin >
+ <Location /cgi-bin >
SetHandler cgi-script
Options +ExecCGI
 - </Directory> + </Location>

-
It is safer to avoid placing CGI scripts under the +
It is safer to avoid placing CGI scripts under the DocumentRoot in order to avoid accidentally revealing their source code if the configuration is ever changed. The @@ -382,8 +382,20 @@ target as a CGI script URL and designating CGI scripts at the same time. If you do choose to place your CGI scripts in a directory already accessible from the web, do not use - ScriptAlias. Instead, use <Directory>, SetHandler, and Options as shown in the second example - above.
+ ScriptAlias. Instead, use <Directory>, SetHandler, and Options as in: +

+ <Directory /usr/local/apache2/htdocs/cgi-bin >
+ + SetHandler cgi-script
+ Options ExecCGI
+ + </Directory> +

+ This is necessary since multiple URL-paths can map + to the same filesystem location, potentially bypassing the + ScriptAlias and revealing the source code + of the CGI scripts if they are not restricted by a + Directory section.

See also

diff --git a/docs/manual/mod/mod_alias.xml b/docs/manual/mod/mod_alias.xml index ddf82f807bf..db12c55f2f7 100644 --- a/docs/manual/mod/mod_alias.xml +++ b/docs/manual/mod/mod_alias.xml @@ -361,15 +361,15 @@ target as a CGI script is essentially equivalent to:

Alias /cgi-bin/ /web/cgi-bin/
- <Directory /web/cgi-bin >
+ <Location /cgi-bin >
SetHandler cgi-script
Options +ExecCGI
 - </Directory> + </Location> - It is safer to avoid placing CGI scripts under the + It is safer to avoid placing CGI scripts under the DocumentRoot in order to avoid accidentally revealing their source code if the configuration is ever changed. The @@ -380,8 +380,20 @@ target as a CGI script ScriptAlias. Instead, use Directory, SetHandler, and Options as shown in the second example - above. + module="core">Options as in: + + <Directory /usr/local/apache2/htdocs/cgi-bin >
+ + SetHandler cgi-script
+ Options ExecCGI
+ + </Directory> + + This is necessary since multiple URL-paths can map + to the same filesystem location, potentially bypassing the + ScriptAlias and revealing the source code + of the CGI scripts if they are not restricted by a + Directory section. CGI Tutorial -- 2.47.2