httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Sun, 20 Aug 2006 19:27:16 GMT
Joshua Slive wrote:
> On 8/20/06, Carsten Wiedmann <> wrote:
>> Ok. Then we can say: For some other reasons, it's not safe to make a
>> ScriptAlias inside DirectoryRoot on *nix (it only looks as if it's safe).
> Yes, this is true.  *Alias* do not do the canonicalization necessary
> to assure they can't be bypassed.  That applies to any filesystem.
> The docs do make it clear in other places that the only safe way to
> protect content in the filesystem is using <Directory>.

Ding ding ding.  Now with some luck light bulbs will come on.

Alias / ScriptAlias have (1) function which is to point the URI space
into another filesystem space.  If the content is under DocumentRoot
there is no reason for alias.

View raw message