On 8/19/06, Carsten Wiedmann <[EMAIL PROTECTED]> wrote:
[I don't agree with large chunks of what you wrote, but the crux of the matter is here:]
And why are sometimes (part of) the URI is case-sensitive and somtimes not and what happens in consequence because of this behavior. And this behavior is the only reason why it can be (on some systems) a problem to have the ScriptAlias inside the DirectoryRoot.
That last sentence is simply not true. Search the the bugtraq archives for all the other vulnerabilities in windows web servers caused by subtleties of the filesystem. It is not the job of *Alias* to deal with that; the *Alias* directives map a URL to the filesystem. If you want to protect things in the filesystem, you have <Directory>. Yes, it would be nice if httpd could force the use of a canonical case on case-insensitive filesystems. It can be partially done with mod_rewrite. But that would not make it safe to use ScriptAlias in the way you want. Joshua.
