Joshua Slive schrieb:
On 8/19/06, Carsten Wiedmann <[EMAIL PROTECTED]> wrote:
> Why is it really bad to have a ScriptAlias inside the DocumentRoot? It's
> only another file system location. And it's only one line in the
> config file instead of four. You have only a problem because of the
> "unexpected"
> behavior of httpd with case-insensitive/case-preserved file systems
> ;-) And on Windows, the simplest way to make a consistent behavior
> with URI's is to have a alias match case-insensitive.
You seemed to miss the second part of my message, where I pointed out
that there are multiple ways to "skip around" aliases if they point to
directories that are otherwise accessible from the filesystem. For
example, a request for //cgi-bin/file.cgi might work (I haven't tested
it)
The abs_path part of a HTTP URI can't start with a "//".
or using one of the other "funny" characteristics of the windows
filesystem that make multiple URLs point to the same filesystem
location.
Thus I can say, the source code is too simple... ;-) It's not the problem of
Windows (OS X, ...) that httpd don't compare the real case of a file with
the case of the resource given in a HTTP request.
BTW: With symlinks we have a similar "funny" thing on *nix, to point
multiple URIs to the same filesystem location.
That is why if you want to restrict access to a filesystem
location, you need to use <Directory>, which knows about all these
funny things.
Don't forget, we are not talking about:
<Directory c:/apache2/htdocs> ... </Directory>
ScriptAlias /cgi-bin/ c:/apache2/htdocs/cgi-bin/
vs.
<Directory c:/apache2/htdocs> ... </Directory>
ScriptAlias /cgi-bin/ //server/share/htdocs/cgi-bin/
(different filesystem/network paths for Directory and ScriptAlias target.
OK, they can point to the same resource, but that's another problem.)
We are talking about:
<Directory c:/apache2/htdocs> ... </Directory>
ScriptAlias /cgi-bin/ c:/apache2/htdocs/cgi-bin/
and
http://example.com/cgi-bin/foo.cgi
vs.
http://example.com/CGI-BIN/foo.cgi
And why are sometimes (part of) the URI is case-sensitive and somtimes not
and what happens in consequence because of this behavior. And this behavior
is the only reason why it can be (on some systems) a problem to have the
ScriptAlias inside the DirectoryRoot.
Unfortunately there is for the moment no setting in the configuration, in
order to achieve with such a system a real RFC conformal behavior (e.g.like
"lower_case_table_names" in MySQL). But you can achieve a consistent
behavior.
Regards,
Carsten
