From: Joshua Slive Date: Sun, 20 Aug 2006 18:08:43 +0000 (+0000) Subject: Make it clear that url-path is always case-sensitive. X-Git-Tag: 2.3.0~2153 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1f2b32f04e587a32a28f9de680524ab599130b43;p=apache Make it clear that url-path is always case-sensitive. Provide an example of using a regex to make it case-insensitive. Make it clear that ScriptAlias is only used when you want BOTH mapping and script-designation. Partially in response to the disputed vulnerability: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4110 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@432997 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_alias.html.en b/docs/manual/mod/mod_alias.html.en index c21a8b93d6..948881a474 100644 --- a/docs/manual/mod/mod_alias.html.en +++ b/docs/manual/mod/mod_alias.html.en @@ -118,7 +118,9 @@ ignored.

be stored in the local filesystem other than under the DocumentRoot. URLs with a (%-decoded) path beginning with url-path will be mapped - to local files beginning with directory-path.

+ to local files beginning with directory-path. The + url-path is case-sensitive, even on case-insenitive + file systems.

Example:

Alias /image /ftp/pub/image @@ -184,6 +186,14 @@ expressions AliasMatch ^/icons(.*) /usr/local/apache/icons$1

+

It is also possible to construct an alias with case-insensitive + matching of the url-path:

+ +

+ AliasMatch (?i)^/image(.*) /ftp/pub/image$1 +

+ +
top

Redirect Directive

@@ -200,12 +210,12 @@ a different URL

The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.

-

The old URL-path is a (%-decoded) path beginning with - a slash. A relative path is not allowed. The new URL - should be an absolute URL beginning with a scheme and hostname, - but a URL-path beginning with a slash may also be used, in which - case the scheme and hostname of the current server will be - added.

+

The old URL-path is a case-sensitive (%-decoded) path + beginning with a slash. A relative path is not allowed. The new + URL should be an absolute URL beginning with a scheme and + hostname, but a URL-path beginning with a slash may also be used, + in which case the scheme and hostname of the current server will + be added.

Then any request beginning with URL-Path will return a redirect request to the client at the location of the target @@ -342,9 +352,9 @@ target as a CGI script

The ScriptAlias directive has the same behavior as the Alias directive, except that in addition it marks the target directory - as containing CGI scripts that will be processed by mod_cgi's cgi-script handler. URLs with a + as containing CGI scripts that will be processed by mod_cgi's cgi-script handler. URLs with a case-sensitive (%-decoded) path beginning with URL-path will be mapped - to scripts beginning with the second argument which is a full + to scripts beginning with the second argument, which is a full pathname in the local filesystem.

Example:

@@ -352,8 +362,34 @@ target as a CGI script

A request for http://myserver/cgi-bin/foo would cause the - server to run the script /web/cgi-bin/foo.

+ server to run the script /web/cgi-bin/foo. This configuration + is essentially equivalent to:

+

+ Alias /cgi-bin/ /web/cgi-bin/
+ <Directory /web/cgi-bin >
+ + SetHandler cgi-script
+ Options +ExecCGI
+ + </Directory> +

+
It is safer to avoid placing CGI scripts under the + DocumentRoot in order to + avoid accidentally revealing their source code if the + configuration is ever changed. The + ScriptAlias makes this easy by mapping a + URL and designating CGI scripts at the same time. If you do + choose to place your CGI scripts in a directory already + accessible from the web, do not use + ScriptAlias. Instead, use <Directory>, SetHandler, and Options as shown in the second example + above.
+ + +

See also

+
top

ScriptAliasMatch Directive

diff --git a/docs/manual/mod/mod_alias.xml b/docs/manual/mod/mod_alias.xml index 1724881ea5..ddf82f807b 100644 --- a/docs/manual/mod/mod_alias.xml +++ b/docs/manual/mod/mod_alias.xml @@ -106,7 +106,9 @@ ignored.

be stored in the local filesystem other than under the DocumentRoot. URLs with a (%-decoded) path beginning with url-path will be mapped - to local files beginning with directory-path.

+ to local files beginning with directory-path. The + url-path is case-sensitive, even on case-insenitive + file systems.

Example: Alias /image /ftp/pub/image @@ -175,6 +177,14 @@ expressions AliasMatch ^/icons(.*) /usr/local/apache/icons$1 + +

It is also possible to construct an alias with case-insensitive + matching of the url-path:

+ + + AliasMatch (?i)^/image(.*) /ftp/pub/image$1 + + @@ -192,12 +202,12 @@ a different URL

The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.

-

The old URL-path is a (%-decoded) path beginning with - a slash. A relative path is not allowed. The new URL - should be an absolute URL beginning with a scheme and hostname, - but a URL-path beginning with a slash may also be used, in which - case the scheme and hostname of the current server will be - added.

+

The old URL-path is a case-sensitive (%-decoded) path + beginning with a slash. A relative path is not allowed. The new + URL should be an absolute URL beginning with a scheme and + hostname, but a URL-path beginning with a slash may also be used, + in which case the scheme and hostname of the current server will + be added.

Then any request beginning with URL-Path will return a redirect request to the client at the location of the target @@ -337,9 +347,9 @@ target as a CGI script behavior as the Alias directive, except that in addition it marks the target directory as containing CGI scripts that will be processed by mod_cgi's cgi-script handler. URLs with a + >mod_cgi's cgi-script handler. URLs with a case-sensitive (%-decoded) path beginning with URL-path will be mapped - to scripts beginning with the second argument which is a full + to scripts beginning with the second argument, which is a full pathname in the local filesystem.

Example: @@ -347,8 +357,34 @@ target as a CGI script

A request for http://myserver/cgi-bin/foo would cause the - server to run the script /web/cgi-bin/foo.

+ server to run the script /web/cgi-bin/foo. This configuration + is essentially equivalent to:

+ + Alias /cgi-bin/ /web/cgi-bin/
+ <Directory /web/cgi-bin >
+ + SetHandler cgi-script
+ Options +ExecCGI
+ + </Directory> + + + It is safer to avoid placing CGI scripts under the + DocumentRoot in order to + avoid accidentally revealing their source code if the + configuration is ever changed. The + ScriptAlias makes this easy by mapping a + URL and designating CGI scripts at the same time. If you do + choose to place your CGI scripts in a directory already + accessible from the web, do not use + ScriptAlias. Instead, use Directory, SetHandler, and Options as shown in the second example + above. + +CGI Tutorial