Re: apache 2.2 crashes at the start time in mod_dbd.c then preparing AuthDBDUserPWQuery

2006-08-18 Thread paritosh 
Hi Nick,

I'm using the latest revision of mod_dbd.c and I still get a segfault on
startup. My setup:

CONFIGURE FLAGS:
./configure --enable-so --enable-auth-digest --enable-dbd
--enable-authn-dbd --with-mysql=/usr

HTTPD.CONF:

DBDriver mysql
DBDParams "dbname=xxx user=xxx pass=xxx"


  AuthType Digest
  AuthName "xxx"

  AuthDigestProvider dbd

  Require valid-user

  AuthDBDUserRealmQuery "SELECT pwhash FROM users WHERE name = %s and
realm = %s"


GDB BACKTRACE:

(gdb) run -X -d ..
[Thread debugging using libthread_db enabled]
[New Thread -1212180800 (LWP 23469)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1212180800 (LWP 23469)]
apr_hashfunc_default (char_key=0x0, klen=0xbfc96c38) at
tables/apr_hash.c:228
/home/paritosh/limespot/apache2.2/srclib/apr/tables/apr_hash.c:228:7055:beg:0xb7daa3ce
(gdb) bt
#0  apr_hashfunc_default (char_key=0x0, klen=0xbfc96c38) at
tables/apr_hash.c:228
#1  0xb7daa437 in find_entry (ht=0x8128270, key=0x0, klen=-1, val=0x0)
at tables/apr_hash.c:260
#2  0xb7daa5f4 in apr_hash_get (ht=0x, key=0xbfc96c38, klen=-1)
at tables/apr_hash.c:330
#3  0x08082a96 in ap_dbd_prepare (s=0x80d3ab0, query=0x , label=0x ) at mod_dbd.c:152
#4  0x0807dedb in authn_dbd_prepare (cmd=0xbfc9701c, cfg=0x812d190,
query=0x812d198 "SELECT pwhash FROM principals INNER JOIN users ON
principals.resource_id = users.principal_id WHERE name = %s and name !=
%s") at mod_authn_dbd.c:72
#5  0x080747f9 in invoke_cmd (cmd=0x80b3398, parms=0xbfc9701c,
mconfig=0x812d190, args=0x810e58e "") at config.c:873
#6  0x080755d2 in ap_walk_config (current=0x810e4f0, parms=0xbfc9701c,
section_vector=0x812cba8) at config.c:1141
#7  0x0806bec4 in urlsection (cmd=0xbfc9701c, mconfig=0x810e198,
arg=0x812ce28 "") at core.c:1942
#8  0x080747f9 in invoke_cmd (cmd=0x80b0cd8, parms=0xbfc9701c,
mconfig=0x810e198, args=0x810e3c8 "/private>") at config.c:873
#9  0x080755d2 in ap_walk_config (current=0x81141f8, parms=0xbfc9701c,
section_vector=0x810d228) at config.c:1141
#10 0x080762b6 in ap_process_config_tree (s=0xbfc96c38,
conftree=0x, p=0x80cb0a8, ptemp=0x) at config.c:1743
#11 0x08062071 in main (argc=4, argv=0xbfc97174) at main.c:621

On Thu, 2006-08-17 at 15:21 +0100, Nick Kew wrote:
> On Thursday 17 August 2006 14:51, paritosh wrote:
> > Hi all,
> >
> >
> > I had a working installation of apache 2.2.2 with mod_dbd and
> > mod_authn_dbd configured. Recently I upgraded to 2.2.3 and the server
> > crashes with the same backtrace. ( it crashes in apr_hashfunc_default at
> > tables/apr_hash.c:228 ).
> 
> That is not a backtrace.
> 
> > Have there been any developments towards 
> > resolving this ?
> 
> http://svn.apache.org/viewvc?view=rev&revision=424798
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/database/mod_dbd.c?r1=421103&r2=425659
>

CGI Script Source Code Disclosure Vulnerability in Apache for Windows

2006-08-18 Thread Mark J Cox 
See 
http://marc.theaimsgroup.com/?l=bugtraq&m=115527423727441&w=2

which basically reports "if you put cgi-bin under docroot then you can
view cgi scripts on OS which have case insensitive filesystems"

Joe replied: 
http://marc.theaimsgroup.com/?l=bugtraq&m=115574424402976&w=2
and I submitted that as an "DISPUTED" to CVE

But the original reporter disagrees:
http://marc.theaimsgroup.com/?l=bugtraq&m=115583509231594&w=2

I think the right response here is to make it more explicit in the
documentation that putting a ScriptAlias cgi-bin inside document root is
bad.

Mark
--
Mark J Cox | www.awe.com/mark

Re: apache 2.2 crashes at the start time in mod_dbd.c then preparing AuthDBDUserPWQuery

2006-08-18 Thread Nick Kew 
On Friday 18 August 2006 08:19, paritosh wrote:
> Hi Nick,
>
> I'm using the latest revision of mod_dbd.c and I still get a segfault on
> startup. My setup:
>
> CONFIGURE FLAGS:
> ./configure --enable-so --enable-auth-digest --enable-dbd
> --enable-authn-dbd --with-mysql=/usr

So that's static compilation ...
>
> HTTPD.CONF:

Looks fine, but

>   AuthDBDUserRealmQuery "SELECT pwhash FROM users WHERE name = %s and
> realm = %s"

doesn't look much like

> #4  0x0807dedb in authn_dbd_prepare (cmd=0xbfc9701c, cfg=0x812d190,
> query=0x812d198 "SELECT pwhash FROM principals INNER JOIN users ON
> principals.resource_id = users.principal_id WHERE name = %s and name !=
> %s") at mod_authn_dbd.c:72


> GDB BACKTRACE:

OK, here we have a problem at:

> #3  0x08082a96 in ap_dbd_prepare (s=0x80d3ab0, query=0x  0x out of bounds>, label=0x  bounds>) at mod_dbd.c:152

where the query and label pointers are garbage.  That's the kind of
thing I'd expect if one or more of your modules was compiled on a
slightly different architecture.  But I guess we can rule that out
since you compiled statically (assuming you compiled on the same
machine it's running on?)

Can you compile mod_dbd (and perhaps also mod_authn_dbd) with
-O0 rather than the default -O2, so we don't get that kind of report
as an artifact of compilation optimisation?


-- 
Nick Kew

Re: apache 2.2 crashes at the start time in mod_dbd.c then preparing AuthDBDUserPWQuery

2006-08-18 Thread paritosh 
On Fri, 2006-08-18 at 10:23 +0100, Nick Kew wrote:
> On Friday 18 August 2006 08:19, paritosh wrote:
> > Hi Nick,
> >
> > I'm using the latest revision of mod_dbd.c and I still get a segfault on
> > startup. My setup:
> >
> > CONFIGURE FLAGS:
> > ./configure --enable-so --enable-auth-digest --enable-dbd
> > --enable-authn-dbd --with-mysql=/usr
> 
> So that's static compilation ...
> >
> > HTTPD.CONF:
> 
> Looks fine, but
> 
> >   AuthDBDUserRealmQuery "SELECT pwhash FROM users WHERE name = %s and
> > realm = %s"
> 
> doesn't look much like
> 
> > #4  0x0807dedb in authn_dbd_prepare (cmd=0xbfc9701c, cfg=0x812d190,
> > query=0x812d198 "SELECT pwhash FROM principals INNER JOIN users ON
> > principals.resource_id = users.principal_id WHERE name = %s and name !=
> > %s") at mod_authn_dbd.c:72
> 
> 
> > GDB BACKTRACE:
> 
> OK, here we have a problem at:
> 
> > #3  0x08082a96 in ap_dbd_prepare (s=0x80d3ab0, query=0x  > 0x out of bounds>, label=0x  > bounds>) at mod_dbd.c:152
> 
> where the query and label pointers are garbage.  That's the kind of
> thing I'd expect if one or more of your modules was compiled on a
> slightly different architecture.  But I guess we can rule that out
> since you compiled statically (assuming you compiled on the same
> machine it's running on?)
> 
Yes, it's the same machine.

> Can you compile mod_dbd (and perhaps also mod_authn_dbd) with
> -O0 rather than the default -O2, so we don't get that kind of report
> as an artifact of compilation optimisation?
> 
> 

recompiled everything with -O0, the new backtrace is:

(gdb) run -X -d ..
[Thread debugging using libthread_db enabled]
[New Thread -1212528960 (LWP 10335)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1212528960 (LWP 10335)]
0xb7d55f2d in apr_hashfunc_default (char_key=0x0, klen=0xbf94b1d8) at
tables/apr_hash.c:228
/home/paritosh/limespot/apache2.2.3/srclib/apr/tables/apr_hash.c:228:7055:beg:0xb7d55f2d
(gdb) bt
#0  0xb7d55f2d in apr_hashfunc_default (char_key=0x0, klen=0xbf94b1d8)
at tables/apr_hash.c:228
#1  0xb7d55fad in find_entry (ht=0x813f270, key=0x0, klen=-1, val=0x0)
at tables/apr_hash.c:260
#2  0xb7d5626f in apr_hash_get (ht=0x813f270, key=0x0, klen=-1) at
tables/apr_hash.c:330
#3  0x0808c433 in ap_dbd_prepare (s=0x80eaab0, query=0x8144178 "SELECT
pwhash FROM users WHERE name = %s and realm = %s", label=0x81441b8
"authn_dbd_1") at mod_dbd.c:152
#4  0x08086243 in authn_dbd_prepare (cmd=0xbf94b76c, cfg=0x8144170,
query=0x8144178 "SELECT pwhash FROM users WHERE name = %s and realm = %
s") at mod_authn_dbd.c:72
#5  0x0807a59e in invoke_cmd (cmd=0x80c9218, parms=0xbf94b76c,
mconfig=0x8144170, args=0x8125541 "") at config.c:768
#6  0x0807b70a in ap_walk_config_sub (current=0x81254e8,
parms=0xbf94b76c, section_vector=0x8143ba8) at config.c:1141
#7  0x0807b7a4 in ap_walk_config (current=0x81254e8, parms=0xbf94b76c,
section_vector=0x8143ba8) at config.c:1174
#8  0x0806fbc4 in urlsection (cmd=0xbf94b76c, mconfig=0x8125198,
arg=0x8143e28 "") at core.c:1942
#9  0x0807a3f6 in invoke_cmd (cmd=0x80c67f8, parms=0xbf94b76c,
mconfig=0x8125198, args=0x81253c8 "/private>") at config.c:735
#10 0x0807b70a in ap_walk_config_sub (current=0x812b1f8,
parms=0xbf94b76c, section_vector=0x8124228) at config.c:1141
#11 0x0807b7a4 in ap_walk_config (current=0x812b1f8, parms=0xbf94b76c,
section_vector=0x8124228) at config.c:1174
#12 0x0807c7b3 in ap_process_config_tree (s=0x80eaab0,
conftree=0x812a308, p=0x80e20a8, ptemp=0x810) at config.c:1743
#13 0x08062507 in main (argc=4, argv=0xbf94b8f4) at main.c:621

The problem is that s->server_hostname is sent as 'key' to
apr_hash_get(). But it is NULL if ServerName directive is not set in the
httpd.conf. Simply adding following to httpd.conf solved the problem:

SeverName 127.0.0.1:80

( I should mention that 2.2.2 with similar setup did not crash even
without the ServerName directive )

Re: apache 2.2 crashes at the start time in mod_dbd.c then preparing AuthDBDUserPWQuery

2006-08-18 Thread Nick Kew 
On Friday 18 August 2006 12:35, paritosh wrote:

> recompiled everything with -O0, the new backtrace is:

> #2  0xb7d5626f in apr_hash_get (ht=0x813f270, key=0x0, klen=-1) at
> tables/apr_hash.c:330

Aha!  NULL key.  That should be the server name.

> #3  0x0808c433 in ap_dbd_prepare (s=0x80eaab0, query=0x8144178 "SELECT
> pwhash FROM users WHERE name = %s and realm = %s", label=0x81441b8
> "authn_dbd_1") at mod_dbd.c:152

whereas that now makes sense.  The junk before was indeed optimisation.

> #4  0x08086243 in authn_dbd_prepare (cmd=0xbf94b76c, cfg=0x8144170,
> query=0x8144178 "SELECT pwhash FROM users WHERE name = %s and realm = %
> s") at mod_authn_dbd.c:72

That should be line 70, not 72.  Still slightly confusing.

Anyway, this traceback iidentifies the problem: we need to make a
special case of a null server name.

> The problem is that s->server_hostname is sent as 'key' to
> apr_hash_get(). But it is NULL if ServerName directive is not set in the
> httpd.conf. Simply adding following to httpd.conf solved the problem:
>
> SeverName 127.0.0.1:80
>
> ( I should mention that 2.2.2 with similar setup did not crash even
> without the ServerName directive )

Yes, the fix in 2.2.3 over 2.2.2 was for a bug in handling of virtualhosts.
Thanks for the report, and for helping to fix it!

I'll commit a patch to /trunk/ shortly.

-- 
Nick Kew

Re: svn commit: r432360 [1/8] - in /httpd/httpd/trunk/docs/manual: ./ mod/ programs/

2006-08-18 Thread Jim Jagielski 


On Aug 17, 2006, at 6:17 PM, André Malo wrote:



That is all strange. Can you try the following patch in the build- 
directory:


Index: lib/DocUtil.pm
===
--- lib/DocUtil.pm  (revision 432356)
+++ lib/DocUtil.pm  (working copy)
@@ -77,6 +77,7 @@

 # use HTTP path separators (/)
 $docpath = join '/' => ('', File::Spec->splitdir($docpath), '');
+1 while ($docpath =~ s,/\./,/,g);
 $docpath =~ y,/,/,s; # squeeze multiple slashes

 # compute relative (HTTP-)path from srcfile to docroot



Applying the above and rerunning ./build.sh I see (as an example
for svn diff):

Index: glossary.html.en
===
--- glossary.html.en(revision 432560)
+++ glossary.html.en(working copy)
@@ -6,29 +6,29 @@
  
X

   -->
Glossary - Apache HTTP Server
-type="text/css" title="Main stylesheet" />
-
-media="print" type="text/css" />

-
+type="text/css" title="Main stylesheet" />
+
+media="print" type="text/css" />

+


Index: invoking.xml.meta
===
--- invoking.xml.meta   (revision 432560)
+++ invoking.xml.meta   (working copy)
@@ -2,8 +2,8 @@

   invoking
-  /./
-  ..
+  /
+  .
   
 de


so I think that fixes it

Re: svn commit: r432360 [1/8] - in /httpd/httpd/trunk/docs/manual: ./ mod/ programs/

2006-08-18 Thread André Malo 
* Jim Jagielski wrote: 

> Index: invoking.xml.meta
> ===
> --- invoking.xml.meta   (revision 432560)
> +++ invoking.xml.meta   (working copy)
> @@ -2,8 +2,8 @@
> 
> invoking
> -  /./
> -  ..
> +  /
> +  .
> 
>   de
>
>
> so I think that fixes it

Looks great. I suspect a bogus File::Spec implementation for Mac OS X and 
will apply the patch later this day "officially" to the build system. I 
think, you can re-checkin that now :)

Thanks for your help.

nd

Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows

2006-08-18 Thread Joshua Slive 

On 8/18/06, Mark J Cox <[EMAIL PROTECTED]> wrote:

See
http://marc.theaimsgroup.com/?l=bugtraq&m=115527423727441&w=2

which basically reports "if you put cgi-bin under docroot then you can
view cgi scripts on OS which have case insensitive filesystems"

Joe replied:
http://marc.theaimsgroup.com/?l=bugtraq&m=115574424402976&w=2
and I submitted that as an "DISPUTED" to CVE

But the original reporter disagrees:
http://marc.theaimsgroup.com/?l=bugtraq&m=115583509231594&w=2

I think the right response here is to make it more explicit in the
documentation that putting a ScriptAlias cgi-bin inside document root is
bad.


Yes, this is a relatively common configuration error.  Although this
does not make it a bug, it does point out that our documentation could
be clearer.  Unfortunately, the basic problem is that people see the
ScriptAlias in the default config file and assume that is the only way
to activate cgi scripts, so regardless of what we put in the docs, it
won't help that much.

Something like the following should probably be added to the docs for
ScriptAlias (and perhaps in the CGI tutorial):

ScriptAlias is used to
both map a URL to a directory and
mark requests for that URL as pointing to CGI scripts.  It should not
be used for directories that are already accessible from the web
because they are under the DocumentRoot, for example.  Instead, you can
use:


SetHandler cgi-script
Options ExecCGI



Joshua.

Problem with mod_python and send data with a form

2006-08-18 Thread David Bizier 
Hi,

I'm a beginner with mod_python and Python (also with english langage,
sorry). I tried some exemple code and all works fine!

Unfortunately, I have a problem to send data with a form (POST ou GET) to a
.py script file. When I try to send data to my .py file, with Firefox, I see
a blank page, without text or error message.

Here is my form (export.php):

--

   
  

  
First Name: 

  
  

  

  
   



And here is my python page (toto.py):

---
from mod_python import apache
from mod_python import util

def say(req, firstname="NOTHING"):
 req.content_type = "text/html"
 return "I am saying %s" % firstname
---

I have found a apache config file, on my server, with these lines:

"...


SetHandler python-program
PythonHandler   mod_python.cgihandler



"...'




Options -Indexes FollowSymLinks MultiViews
AllowOverride All
AddHandler mod_python .py
PythonHandler mod_python.publisher
PythonDebug On


Thanks for your help! I would like to find an answer shortly to continue my
project!

Regards,
David

Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows

2006-08-18 Thread Carsten Wiedmann 

Joshua Slive schrieb:


On 8/18/06, Mark J Cox <[EMAIL PROTECTED]> wrote:
> I think the right response here is to make it more explicit in the
> documentation that putting a ScriptAlias cgi-bin inside document root is
> bad.

Yes, this is a relatively common configuration error.  Although this
does not make it a bug, it does point out that our documentation could
be clearer.  Unfortunately, the basic problem is that people see the
ScriptAlias in the default config file and assume that is the only way
to activate cgi scripts, so regardless of what we put in the docs, it
won't help that much.


I don't complete agree with you... IMHO the basic "problem" is:
The "URL-path" in ScriptAlias (like in Alias and Location) is compared case 
sensitive first, also on Windows. The "normal" URI to path translation 
(directory-path) not on Windows. That should be better explained in the 
manual.


BTW:
ScriptAlias is not complete the same as an "Options ExecCGI". On Windows you 
can use something like that to avoid the problem:

ScriptAliasMatch "(?i)^/cgi-bin(.*)" "/apache/cgi-bin$1"

Regards,
Carsten

Re: High CPU utilization on using Apache as a reverse proxy

2006-08-18 Thread pradeep kumar 
Hi Jon,

Sorry if i mislead you into assuming that I am using Solaris. I am
using HP-UX 11iv2. Is HP-UX also affected? In this case also SSL is
being used. 

Regards,
PradeepOn 8/17/06, Jon Snow <[EMAIL PROTECTED]> wrote:
Pradeep,I can't remember if I posted the results of the SSL issue and high CPU usage.We tracked it to a bug in the solaris driver for the Sun daughter card, somemutex issue if my memory serves me correctly. Sun confirmed and issued a
patch a while ago. As discussed in the quoted post I did not believe it wasan apache issue for the SSL but I showed dumps for a corresponding writeissue with a forward proxy in an early anticipation it may be related.
This forward proxy problem I had sounds similar to your issue where apacheappears not to test a return value for a write but it did not utilise largeCPU. Currently I run 2.2.2 and have observed the same write problem as I did
with 2.0.53. One main issue I have with this is the download continues whilethe write fails so effectively the active connection is not in soundcommunication with the passive.I put the huge memory usage down to the byte range bug as these processes were
nearly always streaming or FTPing large files. I have not seen this memoryusage with the version I am running even when I see the write problem.To clarify your issue are you running SSL and if so are you using hardware
crypto? I assume you are using solaris, is it patched for crypto re: aboveand what version of solaris are you using?Regards,JonOn Tuesday 15 August 2006 00:47, pradeep kumar wrote:> Hi,
>> I notice there is a 100% CPU utilization which spikes for sometime and then> goes back to normalcy when Apache is used a reverse proxy. I noticed a mail> thread which seems to be a similar problem
> http://mail-archives.apache.org/mod_mbox/httpd-dev/200510.mbox/%3C200510252>[EMAIL PROTECTED]>
>> One thread of one of the child processes hangs, calling poll() and writev()> system calls so frequently that it causes 100% CPU util. The thread is> trying to writev() to a socked which is in CLOSE_WAIT The child process
> ends after time defined by ndd parameter tcp_keepalive_interval and the> same service time can be seen in access_log. The problem disappears then.>> Regards,>> Pradeep

Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows

2006-08-18 Thread Joshua Slive 

On 8/18/06, Carsten Wiedmann <[EMAIL PROTECTED]> wrote:

Joshua Slive schrieb:

> On 8/18/06, Mark J Cox <[EMAIL PROTECTED]> wrote:
> > I think the right response here is to make it more explicit in the
> > documentation that putting a ScriptAlias cgi-bin inside document root is
> > bad.
>
> Yes, this is a relatively common configuration error.  Although this
> does not make it a bug, it does point out that our documentation could
> be clearer.  Unfortunately, the basic problem is that people see the
> ScriptAlias in the default config file and assume that is the only way
> to activate cgi scripts, so regardless of what we put in the docs, it
> won't help that much.

I don't complete agree with you... IMHO the basic "problem" is:
The "URL-path" in ScriptAlias (like in Alias and Location) is compared case
sensitive first, also on Windows. The "normal" URI to path translation
(directory-path) not on Windows. That should be better explained in the
manual.


Yes, it should be explained that *Alias* are case-sensitive in their
first argument.  But your diagnosis is not quite correct.  URLs are
always case sensitive in httpd (and in the HTTP RFC).  The fact that
multiple different URLs happen to map to the same filesystem location
is an artificat of the filesystem, not of the path translation code.
httpd does handle case-insensitivity correctly in its filesystem code
(such as the  block).


BTW:
ScriptAlias is not complete the same as an "Options ExecCGI". On Windows you
can use something like that to avoid the problem:
ScriptAliasMatch "(?i)^/cgi-bin(.*)" "/apache/cgi-bin$1"


I don't know why you say that Options/SetHandler isn't the same as
ScriptAlias.  They are identical in all important respects, as far as
I know.  Your suggestion is not a good one for this problem, because
there are other ways to dodge around that regex on many filesystems
(multiple slashes, special characters, etc).  Those are all handled
properly by .  (Your suggestion is fine for the general
question "How do I make the cgi-bin alias case-insensitive?" but it is
not a safe way to use ScriptAlias to put the cgi-bin inside the
DocumentRoot.)

Joshua.

Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows

2006-08-18 Thread Carsten Wiedmann 

Joshua Slive schrieb:


On 8/18/06, Carsten Wiedmann <[EMAIL PROTECTED]> wrote:
>
> I don't complete agree with you... IMHO the basic "problem" is:
> The "URL-path" in ScriptAlias (like in Alias and Location) is
> compared case sensitive first, also on Windows. The "normal" URI to
> path translation (directory-path) not on Windows. That should be
> better explained in the manual.

Yes, it should be explained that *Alias* are case-sensitive in their
first argument.


Ok.



But your diagnosis is not quite correct.  URLs are
always case sensitive in httpd (and in the HTTP RFC).


That's a good point (IMHO they SHOULD, not MUST). But see below...



The fact that
multiple different URLs happen to map to the same filesystem location
is an artificat of the filesystem, not of the path translation code.
httpd does handle case-insensitivity correctly in its filesystem code
(such as the  block).


Now an other point of view ;-)

Ok, we can see, that httpd makes exactly what the source code says. URI 
comparison is made case-sensitive. And the last step, mapping the URI to a 
file system location, depends on the file system.


(And we know: URI's are not file system locations, only resources...)

But what happens in real life (all steps together)?
On *nix:
- with a directory "$DOCUMENT_ROOT/foo",
 the URI /FOO is not the same as /foo
- with an alias /foo for a directory "foo" inside DocumentRoot,
 the URI /FOO is not the same as /foo
- with an alias /bar for a directory "bar" outside DocumentRoot,
 the URI /BAR is not the same as /bar
- with an alias /bar for a directory "bar" and a subdir "sub"
 outside DocumentRoot, the URI /bar/SUB is not the same as /bar/sub

Now the same for e.g. Windows:
- with a directory "$DOCUMENT_ROOT/foo",
 the URI /FOO is the same as /foo
- with an alias /foo for a directory "foo" inside DocumentRoot,
 the URI /FOO is the same as /foo,
 but sometimes with a different behavior
- with an alias /bar for a directory "bar" outside DocumentRoot,
 the URI /BAR is not the same as /bar
- with an alias /bar for a directory "bar" and a subdir "sub"
 outside DocumentRoot, the URI /bar/SUB is the same as /bar/sub
 (that's really interesting:
  only parts of the abs_path are case-sensitive)

And you think, that's a consistent behavior and according to the RFC 2616 
(3.2.3)? Don't forget. That's not really a problem of the file system. 
Because NTFS for example is not only case-insensitive, it's also 
case-preserving. Thus httpd should know the real case.


You remember this little sentence in the RFC 2616 (15.2)?
| If an HTTP server translates HTTP URIs directly into file system calls,
| the server MUST take special care not to serve files
| that were not intended to be delivered to HTTP clients.



> > On 8/18/06, Mark J Cox <[EMAIL PROTECTED]> wrote:
> > > I think the right response here is to make it more explicit in the
> > > documentation that putting a ScriptAlias cgi-bin inside document
> > > root is bad.
> >
> > Yes, this is a relatively common configuration error.
> > ...
> > Instead, you can use:
> > 
> >
> >SetHandler cgi-script
> >Options ExecCGI
> >
> >  


Why is it really bad to have a ScriptAlias inside the DocumentRoot? It's 
only another file system location. And it's only one line in the config file 
instead of four. You have only a problem because of the "unexpected" 
behavior of httpd with case-insensitive/case-preserved file systems ;-) And 
on Windows, the simplest way to make a consistent behavior with URI's is to 
have a alias match case-insensitive.


BTW:
That's not only a problem with Windows. Don't forget the default file system 
of OS X. HFS+ is also case-insensitive.


Regards,
Carsten