Bartłomiej, very sorry for the crosspost into dev@, I neglected my first
cup of coffee.
This is worthy of discussion on docs@httpd, so please allow me to cite your
example... Your report does suggest that we might illustrate this alias
effect more clearly in the docs, e.g. an example like this;
Note that unexpected expansion may occur when trailing slashes
are omitted, including the case of "Alias / /foo". Given the example;
Alias /icons /usr/share/icons
A request for /icons/small.gif is mapped to /usr/share/icons/small.gif
A request for /icons-private/small.gif is mapped to
/usr/share/icons-private/small.gif
This behavior is by-design.
Would that help users better understand their configuration?
On Mon, Feb 8, 2016 at 10:09 AM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:
> On Sat, Feb 6, 2016 at 5:20 AM, Bartłomiej Żogała <nusc...@gmail.com>
> wrote:
>
>> Some day he wanted the blog to be visible from example.com/ root but
>> with mod_alias instead mod_rewrite. So he changed line "Alias /wp
>> /usr/share/wordpress" to "Alias / /usr/share/wordpress".
>>
>> Enters http://example.com/.old/ and gets
>> /usr/share/wordpress.old/index.php
>>
>
> This is precisely as-documented, and not a vulnerability;
> http://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias
> "Note that if you include a trailing / on the URL-path then the server
> will require a trailing / in order to expand the alias."
> That *includes* the simple "Alias / /foo/" case, this singular "/"
> alias path is an example of an alias with a trailing "/".
>
