diff options
author | Joshua Slive <slive@apache.org> | 2006-08-20 18:08:43 +0000 |
---|---|---|
committer | Joshua Slive <slive@apache.org> | 2006-08-20 18:08:43 +0000 |
commit | 1f2b32f04e587a32a28f9de680524ab599130b43 (patch) | |
tree | aec4f0d8daccf1d6d376e11318a1618458641757 | |
parent | 9db2cce5ed048247617f5241af51b7c6df491994 (diff) | |
download | httpd-1f2b32f04e587a32a28f9de680524ab599130b43.tar.gz |
Make it clear that url-path is always case-sensitive.
Provide an example of using a regex to make it case-insensitive.
Make it clear that ScriptAlias is only used when you want
BOTH mapping and script-designation.
Partially in response to the disputed vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4110
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@432997 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | docs/manual/mod/mod_alias.html.en | 56 | ||||
-rw-r--r-- | docs/manual/mod/mod_alias.xml | 56 |
2 files changed, 92 insertions, 20 deletions
diff --git a/docs/manual/mod/mod_alias.html.en b/docs/manual/mod/mod_alias.html.en index c21a8b93d6..948881a474 100644 --- a/docs/manual/mod/mod_alias.html.en +++ b/docs/manual/mod/mod_alias.html.en @@ -118,7 +118,9 @@ ignored.</p> be stored in the local filesystem other than under the <code class="directive"><a href="../mod/core.html#documentroot">DocumentRoot</a></code>. URLs with a (%-decoded) path beginning with <var>url-path</var> will be mapped - to local files beginning with <var>directory-path</var>.</p> + to local files beginning with <var>directory-path</var>. The + <var>url-path</var> is case-sensitive, even on case-insenitive + file systems.</p> <div class="example"><h3>Example:</h3><p><code> Alias /image /ftp/pub/image @@ -184,6 +186,14 @@ expressions</td></tr> AliasMatch ^/icons(.*) /usr/local/apache/icons$1 </code></p></div> + <p>It is also possible to construct an alias with case-insensitive + matching of the url-path:</p> + + <div class="example"><p><code> + AliasMatch (?i)^/image(.*) /ftp/pub/image$1 + </code></p></div> + + </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="Redirect" id="Redirect">Redirect</a> <a name="redirect" id="redirect">Directive</a></h2> @@ -200,12 +210,12 @@ a different URL</td></tr> <p>The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.</p> - <p>The old <em>URL-path</em> is a (%-decoded) path beginning with - a slash. A relative path is not allowed. The new <em>URL</em> - should be an absolute URL beginning with a scheme and hostname, - but a URL-path beginning with a slash may also be used, in which - case the scheme and hostname of the current server will be - added.</p> + <p>The old <em>URL-path</em> is a case-sensitive (%-decoded) path + beginning with a slash. A relative path is not allowed. The new + <em>URL</em> should be an absolute URL beginning with a scheme and + hostname, but a URL-path beginning with a slash may also be used, + in which case the scheme and hostname of the current server will + be added.</p> <p>Then any request beginning with <em>URL-Path</em> will return a redirect request to the client at the location of the target @@ -342,9 +352,9 @@ target as a CGI script</td></tr> <p>The <code class="directive">ScriptAlias</code> directive has the same behavior as the <code class="directive"><a href="#alias">Alias</a></code> directive, except that in addition it marks the target directory - as containing CGI scripts that will be processed by <code class="module"><a href="../mod/mod_cgi.html">mod_cgi</a></code>'s cgi-script handler. URLs with a + as containing CGI scripts that will be processed by <code class="module"><a href="../mod/mod_cgi.html">mod_cgi</a></code>'s cgi-script handler. URLs with a case-sensitive (%-decoded) path beginning with <var>URL-path</var> will be mapped - to scripts beginning with the second argument which is a full + to scripts beginning with the second argument, which is a full pathname in the local filesystem.</p> <div class="example"><h3>Example:</h3><p><code> @@ -352,8 +362,34 @@ target as a CGI script</td></tr> </code></p></div> <p>A request for <code>http://myserver/cgi-bin/foo</code> would cause the - server to run the script <code>/web/cgi-bin/foo</code>.</p> + server to run the script <code>/web/cgi-bin/foo</code>. This configuration + is essentially equivalent to:</p> + <div class="example"><p><code> + Alias /cgi-bin/ /web/cgi-bin/<br /> + <Directory /web/cgi-bin ><br /> + <span class="indent"> + SetHandler cgi-script<br /> + Options +ExecCGI<br /> + </span> + </Directory> + </code></p></div> + <div class="note">It is safer to avoid placing CGI scripts under the + <code class="directive"><a href="../mod/core.html#documentroot">DocumentRoot</a></code> in order to + avoid accidentally revealing their source code if the + configuration is ever changed. The + <code class="directive">ScriptAlias</code> makes this easy by mapping a + URL and designating CGI scripts at the same time. If you do + choose to place your CGI scripts in a directory already + accessible from the web, do not use + <code class="directive">ScriptAlias</code>. Instead, use <code class="directive"><a href="../mod/core.html#directory"><Directory></a></code>, <code class="directive"><a href="../mod/core.html#sethandler">SetHandler</a></code>, and <code class="directive"><a href="../mod/core.html#options">Options</a></code> as shown in the second example + above.</div> + + +<h3>See also</h3> +<ul> +<li><a href="../howto/cgi.html">CGI Tutorial</a></li> +</ul> </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="ScriptAliasMatch" id="ScriptAliasMatch">ScriptAliasMatch</a> <a name="scriptaliasmatch" id="scriptaliasmatch">Directive</a></h2> diff --git a/docs/manual/mod/mod_alias.xml b/docs/manual/mod/mod_alias.xml index 1724881ea5..ddf82f807b 100644 --- a/docs/manual/mod/mod_alias.xml +++ b/docs/manual/mod/mod_alias.xml @@ -106,7 +106,9 @@ ignored.</p> be stored in the local filesystem other than under the <directive module="core">DocumentRoot</directive>. URLs with a (%-decoded) path beginning with <var>url-path</var> will be mapped - to local files beginning with <var>directory-path</var>.</p> + to local files beginning with <var>directory-path</var>. The + <var>url-path</var> is case-sensitive, even on case-insenitive + file systems.</p> <example><title>Example:</title> Alias /image /ftp/pub/image @@ -175,6 +177,14 @@ expressions</description> <example> AliasMatch ^/icons(.*) /usr/local/apache/icons$1 </example> + + <p>It is also possible to construct an alias with case-insensitive + matching of the url-path:</p> + + <example> + AliasMatch (?i)^/image(.*) /ftp/pub/image$1 + </example> + </usage> </directivesynopsis> @@ -192,12 +202,12 @@ a different URL</description> <p>The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.</p> - <p>The old <em>URL-path</em> is a (%-decoded) path beginning with - a slash. A relative path is not allowed. The new <em>URL</em> - should be an absolute URL beginning with a scheme and hostname, - but a URL-path beginning with a slash may also be used, in which - case the scheme and hostname of the current server will be - added.</p> + <p>The old <em>URL-path</em> is a case-sensitive (%-decoded) path + beginning with a slash. A relative path is not allowed. The new + <em>URL</em> should be an absolute URL beginning with a scheme and + hostname, but a URL-path beginning with a slash may also be used, + in which case the scheme and hostname of the current server will + be added.</p> <p>Then any request beginning with <em>URL-Path</em> will return a redirect request to the client at the location of the target @@ -337,9 +347,9 @@ target as a CGI script</description> behavior as the <directive module="mod_alias">Alias</directive> directive, except that in addition it marks the target directory as containing CGI scripts that will be processed by <module - >mod_cgi</module>'s cgi-script handler. URLs with a + >mod_cgi</module>'s cgi-script handler. URLs with a case-sensitive (%-decoded) path beginning with <var>URL-path</var> will be mapped - to scripts beginning with the second argument which is a full + to scripts beginning with the second argument, which is a full pathname in the local filesystem.</p> <example><title>Example:</title> @@ -347,8 +357,34 @@ target as a CGI script</description> </example> <p>A request for <code>http://myserver/cgi-bin/foo</code> would cause the - server to run the script <code>/web/cgi-bin/foo</code>.</p> + server to run the script <code>/web/cgi-bin/foo</code>. This configuration + is essentially equivalent to:</p> + <example> + Alias /cgi-bin/ /web/cgi-bin/<br /> + <Directory /web/cgi-bin ><br /> + <indent> + SetHandler cgi-script<br /> + Options +ExecCGI<br /> + </indent> + </Directory> + </example> + + <note>It is safer to avoid placing CGI scripts under the + <directive module="core">DocumentRoot</directive> in order to + avoid accidentally revealing their source code if the + configuration is ever changed. The + <directive>ScriptAlias</directive> makes this easy by mapping a + URL and designating CGI scripts at the same time. If you do + choose to place your CGI scripts in a directory already + accessible from the web, do not use + <directive>ScriptAlias</directive>. Instead, use <directive + module="core" type="section">Directory</directive>, <directive + module="core">SetHandler</directive>, and <directive + module="core">Options</directive> as shown in the second example + above.</note> + </usage> +<seealso><a href="../howto/cgi.html">CGI Tutorial</a></seealso> </directivesynopsis> <directivesynopsis> |