Joshua Slive wrote:
<note><directive>ScriptAlias</directive> is used to <strong>both</strong> map a URL to a directory <strong>and</strong> mark requests for that URL as pointing to CGI scripts. It should not be used for directories that are already accessible from the web because they are under the <directive module="core">DocumentRoot</directive>, for example. Instead, you can use: <example> <Directory /usr/local/apache2/htdocs/cgi-dir ><br /> SetHandler cgi-script<br /> Options ExecCGI<br /> </Directory> </example></note>
I like the idea of this documentation addition, plus maybe an explanation about why it is recommended on the security tips page (something about the differences between URLs and paths in the configuration, and the security implications of the difference, using CGI as an example), with a reference to it in the ScriptAlias section.
This is important to me because after reading this thread, I've realized I never thought about these particular security hazards of referencing something by their <Location> or Alias (which is always case sensitive and has different ways of referencing the same characters), vs by their <Directory> or <File> (which is case insensitive on some operating systems, and normalizes all those character differences before trying to match). And now I need to go do an audit of my web servers to make sure...
Dave
