httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "dbdweeb" <>
Subject [users@httpd] Need a VirtualScriptAliasMatch Directive
Date Mon, 31 Mar 2003 15:21:04 GMT

 There's this webapp where customers can drop binaries into the /cgi-bin/ of their changerooted
vhost environment. If they escape the changeroot they can do nasty stuff from the browser.
To prevent this ScriptAliasMatch is used as follows:

# virtual host entry for cust1
<VirtualHost ###.###.###.###:80>
 DocumentRoot /app/cust1/vhost/cust1
 ScriptAliasMatch ^/cgi-bin/cust1$ /app/cust1/cgi-bin/cust1
 ScriptAliasMatch ^/cgi-bin/app1/(.*) /app/cust1/cgi-bin/app1/$1
 ScriptAliasMatch ^/cgi-bin/app2/(.*) /app/cust1/cgi-bin/app2/$1
 ### ScriptAliasMatch continues at length!!
 <Directory /app/cust1/cgi-bin/>
  Options FollowSymLinks

There are many other subdirectories of /cgi-bin/ not listed in the above which MUST NOT be
matched. Changing the directory structure is not an option. 100's of customers are maintained
in huge vhost files and Apache must be restarted everytime changes are made. I looked at mod_vhost_alias
and mod_rewrite and didn't come up with a solution. Is there a more elegant way to do this?
Any suggestions?

bona fide newbie

No banners. No pop-ups. No kidding.
Introducing My Way -

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message