Re: default conf and ScriptAlias

Sat, 09 Oct 2021 17:30:05 -0700 

On 10/10/2021 03:39, Eric Covener wrote:


Relative to the recent CVEs, should we replace ScriptAlias in the
default conf with Alias + SetHandler cgi-script in the corresponding
Directory section?

And .. should ScriptAlias be deprecated/discouraged in some way if the
expanded version is safer by avoiding the equivalent of setting the
handler in Location vs. Directory?

I am assuming it is not possible/feasible to make ScriptAlias just
work as if it was in the 2nd arguments Directory config.


 -1
You are talking about changing a httpd life long option, thats used in millions of settings around the world.
Scriptalias setting is not used in any directory setting in my case, its used in a global way 

DocumentRoot "/var/www/html"

<Directory "/var/www">
AllowOverride None
Options SymlinksIfOwnerMatch
Require all granted
</Directory>

Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
AllowOverride None
Require all granted
</Directory>

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
and more globally used in every service provider i've been at (not all my doing but end result is identical) inside virtual hosts confs 

<VirtualHost xxxxxxxxxx >
ServerName xxxxxxx
ServerAlias www.xxxxxxxx
DocumentRoot /var/www/vhost/xxxxxxx/www/html
ScriptAlias /cgi-bin/ /var/www/vhost/xxxxxxxxx/www/cgi-bin/

...snip...

</VirtualHost>

This is how every person expects it.

So you want to go make that more convoluted?

--
Regards,
Noel Butler
This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.

Reply via email to