On 10/10/2021 03:39, Eric Covener wrote:
Relative to the recent CVEs, should we replace ScriptAlias in the
default conf with Alias + SetHandler cgi-script in the corresponding
Directory section?
And .. should ScriptAlias be deprecated/discouraged in some way if the
expanded version is safer by avoiding the equivalent of setting the
handler in Location vs. Directory?
I am assuming it is not possible/feasible to make ScriptAlias just
work as if it was in the 2nd arguments Directory config.
-1
You are talking about changing a httpd life long option, thats used in
millions of settings around the world.
Scriptalias setting is not used in any directory setting in my case, its
used in a global way
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Options SymlinksIfOwnerMatch
Require all granted
</Directory>
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
AllowOverride None
Require all granted
</Directory>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
and more globally used in every service provider i've been at (not all
my doing but end result is identical) inside virtual hosts confs
<VirtualHost xxxxxxxxxx >
ServerName xxxxxxx
ServerAlias www.xxxxxxxx
DocumentRoot /var/www/vhost/xxxxxxx/www/html
ScriptAlias /cgi-bin/ /var/www/vhost/xxxxxxxxx/www/cgi-bin/
...snip...
</VirtualHost>
This is how every person expects it.
So you want to go make that more convoluted?
--
Regards,
Noel Butler
This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.