Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 17457 invoked from network); 20 Aug 2006 19:48:29 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 20 Aug 2006 19:48:29 -0000 Received: (qmail 76114 invoked by uid 500); 20 Aug 2006 19:48:28 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 75915 invoked by uid 500); 20 Aug 2006 19:48:28 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 75904 invoked by uid 99); 20 Aug 2006 19:48:28 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 20 Aug 2006 12:48:28 -0700 X-ASF-Spam-Status: No, hits=-9.4 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [140.211.166.113] (HELO eris.apache.org) (140.211.166.113) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 20 Aug 2006 12:47:57 -0700 Received: by eris.apache.org (Postfix, from userid 65534) id 940B81A981D; Sun, 20 Aug 2006 12:46:56 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r433022 - in /httpd/httpd/branches/2.2.x/docs/manual/mod: mod_alias.html.en mod_alias.xml Date: Sun, 20 Aug 2006 19:46:56 -0000 To: cvs@httpd.apache.org From: slive@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20060820194656.940B81A981D@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Author: slive Date: Sun Aug 20 12:46:55 2006 New Revision: 433022 URL: http://svn.apache.org/viewvc?rev=433022&view=rev Log: Backport: My last effort was a little too succinct and not quite precise enough. Try being more explicit. This does leave the danger that people will clip the example as the proper way to do things, when they should be reading on to the example. The example is only correct when used in conjunction with Alias. Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_alias.html.en httpd/httpd/branches/2.2.x/docs/manual/mod/mod_alias.xml Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_alias.html.en URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_alias.html.en?rev=433022&r1=433021&r2=433022&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_alias.html.en (original) +++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_alias.html.en Sun Aug 20 12:46:55 2006 @@ -366,15 +366,15 @@ is essentially equivalent to:

Alias /cgi-bin/ /web/cgi-bin/
- <Directory /web/cgi-bin >
+ <Location /cgi-bin >
SetHandler cgi-script
Options +ExecCGI
 - </Directory> + </Location>

-
It is safer to avoid placing CGI scripts under the +
It is safer to avoid placing CGI scripts under the DocumentRoot in order to avoid accidentally revealing their source code if the configuration is ever changed. The @@ -382,8 +382,20 @@ URL and designating CGI scripts at the same time. If you do choose to place your CGI scripts in a directory already accessible from the web, do not use - ScriptAlias. Instead, use <Directory>, SetHandler, and Options as shown in the second example - above.
+ ScriptAlias. Instead, use <Directory>, SetHandler, and Options as in: +

+ <Directory /usr/local/apache2/htdocs/cgi-bin >
+ + SetHandler cgi-script
+ Options ExecCGI
+ + </Directory> +

+ This is necessary since multiple URL-paths can map + to the same filesystem location, potentially bypassing the + ScriptAlias and revealing the source code + of the CGI scripts if they are not restricted by a + Directory section.

See also

Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_alias.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_alias.xml?rev=433022&r1=433021&r2=433022&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_alias.xml (original) +++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_alias.xml Sun Aug 20 12:46:55 2006 @@ -361,15 +361,15 @@ is essentially equivalent to:

Alias /cgi-bin/ /web/cgi-bin/
- <Directory /web/cgi-bin >
+ <Location /cgi-bin >
SetHandler cgi-script
Options +ExecCGI
 - </Directory> + </Location> - It is safer to avoid placing CGI scripts under the + It is safer to avoid placing CGI scripts under the DocumentRoot in order to avoid accidentally revealing their source code if the configuration is ever changed. The @@ -380,8 +380,20 @@ ScriptAlias. Instead, use Directory, SetHandler, and Options as shown in the second example - above. + module="core">Options as in: + + <Directory /usr/local/apache2/htdocs/cgi-bin >
+ + SetHandler cgi-script
+ Options ExecCGI
+ + </Directory> + + This is necessary since multiple URL-paths can map + to the same filesystem location, potentially bypassing the + ScriptAlias and revealing the source code + of the CGI scripts if they are not restricted by a + Directory section. CGI Tutorial