httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Fri, 18 Aug 2006 16:56:30 GMT
On 8/18/06, Carsten Wiedmann <carsten_sttgt@gmx.de> wrote:
> Joshua Slive schrieb:
>
> > On 8/18/06, Mark J Cox <mark@awe.com> wrote:
> > > I think the right response here is to make it more explicit in the
> > > documentation that putting a ScriptAlias cgi-bin inside document root is
> > > bad.
> >
> > Yes, this is a relatively common configuration error.  Although this
> > does not make it a bug, it does point out that our documentation could
> > be clearer.  Unfortunately, the basic problem is that people see the
> > ScriptAlias in the default config file and assume that is the only way
> > to activate cgi scripts, so regardless of what we put in the docs, it
> > won't help that much.
>
> I don't complete agree with you... IMHO the basic "problem" is:
> The "URL-path" in ScriptAlias (like in Alias and Location) is compared case
> sensitive first, also on Windows. The "normal" URI to path translation
> (directory-path) not on Windows. That should be better explained in the
> manual.

Yes, it should be explained that *Alias* are case-sensitive in their
first argument.  But your diagnosis is not quite correct.  URLs are
always case sensitive in httpd (and in the HTTP RFC).  The fact that
multiple different URLs happen to map to the same filesystem location
is an artificat of the filesystem, not of the path translation code.
httpd does handle case-insensitivity correctly in its filesystem code
(such as the <Directory> block).

> BTW:
> ScriptAlias is not complete the same as an "Options ExecCGI". On Windows you
> can use something like that to avoid the problem:
> ScriptAliasMatch "(?i)^/cgi-bin(.*)" "/apache/cgi-bin$1"

I don't know why you say that Options/SetHandler isn't the same as
ScriptAlias.  They are identical in all important respects, as far as
I know.  Your suggestion is not a good one for this problem, because
there are other ways to dodge around that regex on many filesystems
(multiple slashes, special characters, etc).  Those are all handled
properly by <Directory>.  (Your suggestion is fine for the general
question "How do I make the cgi-bin alias case-insensitive?" but it is
not a safe way to use ScriptAlias to put the cgi-bin inside the
DocumentRoot.)

Joshua.

Mime
View raw message