On Sat, Oct 9, 2021 at 8:30 PM Noel Butler <noel.but...@ausics.net> wrote:
> On 10/10/2021 03:39, Eric Covener wrote: > > Relative to the recent CVEs, should we replace ScriptAlias in the > default conf with Alias + SetHandler cgi-script in the corresponding > Directory section? > > And .. should ScriptAlias be deprecated/discouraged in some way if the > expanded version is safer by avoiding the equivalent of setting the > handler in Location vs. Directory? > > I am assuming it is not possible/feasible to make ScriptAlias just > work as if it was in the 2nd arguments Directory config. > > -1 > > You are talking about changing a httpd life long option, thats used in > millions of settings around the world. > I'm talking about removing it from the default configuration file and marking it as deprecated. I don't see a negative impact to users with their own configuration (not changed) or users with our default configuration (since the alternative does the same thing aside from unexpected results where the same Location is mapped to a file in an unintended location) This is how every person expects it. > > So you want to go make that more convoluted? > I don't think Alias + "SetHandler cgi-script" in the default configuration is any more convoluted, given there's already a corresponding Directory section. You could even argue it's conceptually simpler.
