httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Improper string concatenation in mod_alias allows code execution out of bounds defined in apache config file.
Date Mon, 08 Feb 2016 16:25:26 GMT
On Mon, Feb 8, 2016 at 10:20 AM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:

>
> This is worthy of discussion on docs@httpd, so please allow me to cite
> your example... Your report does suggest that we might illustrate this
> alias effect more clearly in the docs, e.g. an example like this;
>
>   Note that unexpected expansion may occur when trailing slashes
>   are omitted, including the case of "Alias / /foo". Given the example;
>     Alias /icons /usr/share/icons
>   A request for /icons/small.gif is mapped to /usr/share/icons/small.gif
>   A request for /icons-private/small.gif is mapped to
> /usr/share/icons-private/small.gif
>   This behavior is by-design.
>

When did this get mis-stated at
http://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias, the information
seems most incorrect...

Alias "/image" "/ftp/pub/image"

A request for http://example.com/image/foo.gif would cause the server to
return the file /ftp/pub/image/foo.gif. Only complete path segments are
matched, so the above alias would not match a request for
http://example.com/imagefoo.gif.

Mime
View raw message