On Sat, Oct 9, 2021 at 8:30 PM Noel Butler <noel.but...@ausics.net> wrote:

> On 10/10/2021 03:39, Eric Covener wrote:
> Relative to the recent CVEs, should we replace ScriptAlias in the
> default conf with Alias + SetHandler cgi-script in the corresponding
> Directory section?
> And .. should ScriptAlias be deprecated/discouraged in some way if the
> expanded version is safer by avoiding the equivalent of setting the
> handler in Location vs. Directory?
> I am assuming it is not possible/feasible to make ScriptAlias just
> work as if it was in the 2nd arguments Directory config.
>  -1
> You are talking about changing a httpd life long option, thats used in
> millions of settings around the world.
I'm talking about removing it from the default configuration file and
marking it as deprecated.
I don't see a negative impact to users with their own configuration (not
changed) or users
with our default configuration (since the alternative does the same thing
aside from unexpected
results where the same Location is mapped to a file in an unintended

This is how every person expects it.
> So you want to go make that more convoluted?

I don't think Alias + "SetHandler cgi-script" in the default configuration
is any more convoluted, given there's already a corresponding Directory
You could even argue it's conceptually simpler.

Reply via email to