Make it clear that url-path is always case-sensitive.

Provide an example of using a regex to make it case-insensitive.
Make it clear that ScriptAlias is only used when you want
BOTH mapping and script-designation.

Partially in response to the disputed vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4110


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@432997 13f79535-47bb-0310-9956-ffa450edef68

2 files changed, 92 insertions, 20 deletions

diff --git a/docs/manual/mod/mod_alias.html.en b/docs/manual/mod/mod_alias.html.en
index c21a8b93d6..948881a474 100644
--- a/docs/manual/mod/mod_alias.html.en
+++ b/docs/manual/mod/mod_alias.html.en
@@ -118,7 +118,9 @@ ignored.</p>
     be stored in the local filesystem other than under the 
     <code class="directive"><a href="../mod/core.html#documentroot">DocumentRoot</a></code>. URLs with a
     (%-decoded) path beginning with <var>url-path</var> will be mapped
-    to local files beginning with <var>directory-path</var>.</p>
+    to local files beginning with <var>directory-path</var>.  The 
+    <var>url-path</var> is case-sensitive, even on case-insenitive 
+    file systems.</p>
 
     <div class="example"><h3>Example:</h3><p><code>
       Alias /image /ftp/pub/image
@@ -184,6 +186,14 @@ expressions</td></tr>
       AliasMatch ^/icons(.*) /usr/local/apache/icons$1
     </code></p></div>
 
+    <p>It is also possible to construct an alias with case-insensitive
+    matching of the url-path:</p>
+
+    <div class="example"><p><code>
+      AliasMatch (?i)^/image(.*) /ftp/pub/image$1
+    </code></p></div>
+
+
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="Redirect" id="Redirect">Redirect</a> <a name="redirect" id="redirect">Directive</a></h2>
@@ -200,12 +210,12 @@ a different URL</td></tr>
     <p>The Redirect directive maps an old URL into a new one by asking
     the client to refetch the resource at the new location.</p>
 
-    <p>The old <em>URL-path</em> is a (%-decoded) path beginning with
-    a slash.  A relative path is not allowed.  The new <em>URL</em>
-    should be an absolute URL beginning with a scheme and hostname,
-    but a URL-path beginning with a slash may also be used, in which
-    case the scheme and hostname of the current server will be
-    added.</p>
+    <p>The old <em>URL-path</em> is a case-sensitive (%-decoded) path
+    beginning with a slash.  A relative path is not allowed.  The new
+    <em>URL</em> should be an absolute URL beginning with a scheme and
+    hostname, but a URL-path beginning with a slash may also be used,
+    in which case the scheme and hostname of the current server will
+    be added.</p>
 
     <p>Then any request beginning with <em>URL-Path</em> will return a
     redirect request to the client at the location of the target
@@ -342,9 +352,9 @@ target as a CGI script</td></tr>
     <p>The <code class="directive">ScriptAlias</code> directive has the same
     behavior as the <code class="directive"><a href="#alias">Alias</a></code>
     directive, except that in addition it marks the target directory
-    as containing CGI scripts that will be processed by <code class="module"><a href="../mod/mod_cgi.html">mod_cgi</a></code>'s cgi-script handler. URLs with a
+    as containing CGI scripts that will be processed by <code class="module"><a href="../mod/mod_cgi.html">mod_cgi</a></code>'s cgi-script handler. URLs with a case-sensitive
     (%-decoded) path beginning with <var>URL-path</var> will be mapped
-    to scripts beginning with the second argument which is a full
+    to scripts beginning with the second argument, which is a full
     pathname in the local filesystem.</p>
 
     <div class="example"><h3>Example:</h3><p><code>
@@ -352,8 +362,34 @@ target as a CGI script</td></tr>
     </code></p></div>
 
     <p>A request for <code>http://myserver/cgi-bin/foo</code> would cause the
-    server to run the script <code>/web/cgi-bin/foo</code>.</p>
+    server to run the script <code>/web/cgi-bin/foo</code>.  This configuration
+    is essentially equivalent to:</p>
+    <div class="example"><p><code>
+      Alias /cgi-bin/ /web/cgi-bin/<br />
+      &lt;Directory /web/cgi-bin &gt;<br />
+      <span class="indent">
+      SetHandler cgi-script<br />
+      Options +ExecCGI<br />
+      </span>
+      &lt;/Directory&gt;
+    </code></p></div>
 
+    <div class="note">It is safer to avoid placing CGI scripts under the
+    <code class="directive"><a href="../mod/core.html#documentroot">DocumentRoot</a></code> in order to
+    avoid accidentally revealing their source code if the
+    configuration is ever changed.  The
+    <code class="directive">ScriptAlias</code> makes this easy by mapping a
+    URL and designating CGI scripts at the same time.  If you do
+    choose to place your CGI scripts in a directory already
+    accessible from the web, do not use
+    <code class="directive">ScriptAlias</code>.  Instead, use <code class="directive"><a href="../mod/core.html#directory">&lt;Directory&gt;</a></code>, <code class="directive"><a href="../mod/core.html#sethandler">SetHandler</a></code>, and <code class="directive"><a href="../mod/core.html#options">Options</a></code> as shown in the second example
+    above.</div>
+
+
+<h3>See also</h3>
+<ul>
+<li><a href="../howto/cgi.html">CGI Tutorial</a></li>
+</ul>
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="ScriptAliasMatch" id="ScriptAliasMatch">ScriptAliasMatch</a> <a name="scriptaliasmatch" id="scriptaliasmatch">Directive</a></h2>
diff --git a/docs/manual/mod/mod_alias.xml b/docs/manual/mod/mod_alias.xml
index 1724881ea5..ddf82f807b 100644
--- a/docs/manual/mod/mod_alias.xml
+++ b/docs/manual/mod/mod_alias.xml
@@ -106,7 +106,9 @@ ignored.</p>
     be stored in the local filesystem other than under the 
     <directive module="core">DocumentRoot</directive>. URLs with a
     (%-decoded) path beginning with <var>url-path</var> will be mapped
-    to local files beginning with <var>directory-path</var>.</p>
+    to local files beginning with <var>directory-path</var>.  The 
+    <var>url-path</var> is case-sensitive, even on case-insenitive 
+    file systems.</p>
 
     <example><title>Example:</title>
       Alias /image /ftp/pub/image
@@ -175,6 +177,14 @@ expressions</description>
     <example>
       AliasMatch ^/icons(.*) /usr/local/apache/icons$1
     </example>
+
+    <p>It is also possible to construct an alias with case-insensitive
+    matching of the url-path:</p>
+
+    <example>
+      AliasMatch (?i)^/image(.*) /ftp/pub/image$1
+    </example>
+
 </usage>
 </directivesynopsis>
 
@@ -192,12 +202,12 @@ a different URL</description>
     <p>The Redirect directive maps an old URL into a new one by asking
     the client to refetch the resource at the new location.</p>
 
-    <p>The old <em>URL-path</em> is a (%-decoded) path beginning with
-    a slash.  A relative path is not allowed.  The new <em>URL</em>
-    should be an absolute URL beginning with a scheme and hostname,
-    but a URL-path beginning with a slash may also be used, in which
-    case the scheme and hostname of the current server will be
-    added.</p>
+    <p>The old <em>URL-path</em> is a case-sensitive (%-decoded) path
+    beginning with a slash.  A relative path is not allowed.  The new
+    <em>URL</em> should be an absolute URL beginning with a scheme and
+    hostname, but a URL-path beginning with a slash may also be used,
+    in which case the scheme and hostname of the current server will
+    be added.</p>
 
     <p>Then any request beginning with <em>URL-Path</em> will return a
     redirect request to the client at the location of the target
@@ -337,9 +347,9 @@ target as a CGI script</description>
     behavior as the <directive module="mod_alias">Alias</directive>
     directive, except that in addition it marks the target directory
     as containing CGI scripts that will be processed by <module
-    >mod_cgi</module>'s cgi-script handler. URLs with a
+    >mod_cgi</module>'s cgi-script handler. URLs with a case-sensitive
     (%-decoded) path beginning with <var>URL-path</var> will be mapped
-    to scripts beginning with the second argument which is a full
+    to scripts beginning with the second argument, which is a full
     pathname in the local filesystem.</p>
 
     <example><title>Example:</title>
@@ -347,8 +357,34 @@ target as a CGI script</description>
     </example>
 
     <p>A request for <code>http://myserver/cgi-bin/foo</code> would cause the
-    server to run the script <code>/web/cgi-bin/foo</code>.</p>
+    server to run the script <code>/web/cgi-bin/foo</code>.  This configuration
+    is essentially equivalent to:</p>
+    <example>
+      Alias /cgi-bin/ /web/cgi-bin/<br />
+      &lt;Directory /web/cgi-bin &gt;<br />
+      <indent>
+      SetHandler cgi-script<br />
+      Options +ExecCGI<br />
+      </indent>
+      &lt;/Directory&gt;
+    </example>
+
+    <note>It is safer to avoid placing CGI scripts under the
+    <directive module="core">DocumentRoot</directive> in order to
+    avoid accidentally revealing their source code if the
+    configuration is ever changed.  The
+    <directive>ScriptAlias</directive> makes this easy by mapping a
+    URL and designating CGI scripts at the same time.  If you do
+    choose to place your CGI scripts in a directory already
+    accessible from the web, do not use
+    <directive>ScriptAlias</directive>.  Instead, use <directive
+    module="core" type="section">Directory</directive>, <directive
+    module="core">SetHandler</directive>, and <directive
+    module="core">Options</directive> as shown in the second example
+    above.</note>
+
 </usage>
+<seealso><a href="../howto/cgi.html">CGI Tutorial</a></seealso>
 </directivesynopsis>
 
 <directivesynopsis>