You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Matus \"fantomas\" Uhlar" <uh...@fantomas.sk> on 2002/07/10 19:06:11 UTC

Re: [Apache] script alias

-> How do I make a script alias so that I can do this:
-> 
-> pull up mydomain.com/script.cgi
-> when its actually located
-> in mydomain.com/cgi-bin/script.cgi

why?

-- 
 Matus "fantomas" Uhlar, uhlar@fantomas.sk ; http://www.fantomas.sk/
 Warning: I don't wish to receive spam to this address.
 Varovanie: Nezelam si na tuto adresu dostavat akukolvek reklamnu postu.
 LSD will make your ECS screen display 16.7 million colors

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [Apache] script alias

Posted by "Korey G." <ko...@awpg.com>.

One major advantage is that
"..mod_rewrite is voodoo. Damned cool voodoo, but still voodoo.."
-Brian Moore


At 13:04 7/10/02 -0500, you wrote:
>I'm interested in your comment.  I'm thinking like a unix programmer. . .
>A symlink at the OS level seems more efficient than adding a logic instruction
>to a HLL program, i.e., the httpd server.  In other words, the httpd has 
>to go
>through some if-then-else gyrations that are otherwise implicit at the OS 
>level;
>therefore, why not use a symbolic link?  Additionally, you can set (i.e., 
>chmod)
>permissions at the file level, rather than deal with the httpd allow/deny 
>scenario,
>granted that there may be some message handlling advantages that I'm not
>taking into consideration.
>
>Ron W.
>>----- Original Message -----
>>From: <ma...@awpg.com>Korey G.
>>To: <ma...@httpd.apache.org>users@httpd.apache.org
>>Sent: Wednesday, July 10, 2002 3:45 PM
>>Subject: Re: [Apache] script alias
>>
>>no, because httpd.conf is tha bomb!
>>symbolic linkage is a cop out
>>
>>At 12:41 7/10/02 -0500, you wrote:
>> >Perhaps, create a symbolic link (assuming that you're runing on unix) to
>> >the abbreviated spelling?
>> >(. . .rather than deal with script aliases.)
>> >>----- Original Message -----
>> >>From: <<m...@swift-web.com>Jason
>> >>To: 
>> <<m...@httpd.apache.org>users@httpd.apache.org
>> >>Sent: Wednesday, July 10, 2002 12:22 PM
>> >>Subject: RE: [Apache] script alias
>> >>
>> >> > -> How do I make a script alias so that I can do this:
>> >> > ->
>> >> > -> pull up mydomain.com/script.cgi
>> >> > -> when its actually located
>> >> > -> in mydomain.com/cgi-bin/script.cgi
>> >> >
>> >> > why?
>> >>
>> >>I wondered the same thing only reducing it a bit further than the above
>> >>example.  My reasons were to shorten
>> >>domain.com/cgi-bin/webmailprogram.cgi
>> >>to
>> >>domain.com/webmail
>> >>
>> >>Is that possible and if so does it open up major security issues?
>> >>-Jay
>> >>
>> >>
>> >>
>> >>---------------------------------------------------------------------
>> >>To unsubscribe, e-mail:
>> >><<m...@httpd.apache.org>mailto:users-unsubscribe@ht 
>> tpd.apache.org><ma...@httpd.apache.org>users-unsubscribe@httpd.apache.org
>> >>For additional commands, e-mail:
>> >><<m...@httpd.apache.org>mailto:users-help@httpd.apache.org 
>>  ><ma...@httpd.apache.org>users-help@httpd.apache.org
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: 
>><ma...@httpd.apache.org>users-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: 
>><ma...@httpd.apache.org>users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [Apache] script alias

Posted by "Korey G." <ko...@awpg.com>.

I take it back,
  Apache wont allow script processing through sim links,
-Security Concerns
--Snip--

         It is also possible, in very rare conditions, for this to
         to be used to bypass htaccess files restricting access to
         a directory or file.  The only case where this can happen
         is if the attacker can form a request that results in the
         full path to the htaccess file being too long (on most
         systems, meaning over 1024 characters) yet the request for
         the protected file in the same directory is not too long.
         The only normal case where such an attack could be possible
         is if there is a symbolic link such as "somedir -> ."
         created in the document tree.
-- http://httpd.apache.org/info/security_bulletin_1.2.5.html
--Snip--




At 14:17 7/10/02 -0700, you wrote:
>But I see your point,
>  it would be interesting to run some benchmarks on the theory,
>I'll keep you updated,
>-Korey
>
>
>At 13:04 7/10/02 -0500, you wrote:
>>I'm interested in your comment.  I'm thinking like a unix programmer. . .
>>A symlink at the OS level seems more efficient than adding a logic 
>>instruction
>>to a HLL program, i.e., the httpd server.  In other words, the httpd has 
>>to go
>>through some if-then-else gyrations that are otherwise implicit at the OS 
>>level;
>>therefore, why not use a symbolic link?  Additionally, you can set (i.e., 
>>chmod)
>>permissions at the file level, rather than deal with the httpd allow/deny 
>>scenario,
>>granted that there may be some message handlling advantages that I'm not
>>taking into consideration.
>>
>>Ron W.
>>>----- Original Message -----
>>>From: <ma...@awpg.com>Korey G.
>>>To: <ma...@httpd.apache.org>users@httpd.apache.org
>>>Sent: Wednesday, July 10, 2002 3:45 PM
>>>Subject: Re: [Apache] script alias
>>>
>>>no, because httpd.conf is tha bomb!
>>>symbolic linkage is a cop out
>>>
>>>At 12:41 7/10/02 -0500, you wrote:
>>> >Perhaps, create a symbolic link (assuming that you're runing on unix) to
>>> >the abbreviated spelling?
>>> >(. . .rather than deal with script aliases.)
>>> >>----- Original Message -----
>>> >>From: <<m...@swift-web.com>Jason
>>> >>To: 
>>> <<m...@httpd.apache.org>users@httpd.apache.org
>>> >>Sent: Wednesday, July 10, 2002 12:22 PM
>>> >>Subject: RE: [Apache] script alias
>>> >>
>>> >> > -> How do I make a script alias so that I can do this:
>>> >> > ->
>>> >> > -> pull up mydomain.com/script.cgi
>>> >> > -> when its actually located
>>> >> > -> in mydomain.com/cgi-bin/script.cgi
>>> >> >
>>> >> > why?
>>> >>
>>> >>I wondered the same thing only reducing it a bit further than the above
>>> >>example.  My reasons were to shorten
>>> >>domain.com/cgi-bin/webmailprogram.cgi
>>> >>to
>>> >>domain.com/webmail
>>> >>
>>> >>Is that possible and if so does it open up major security issues?
>>> >>-Jay
>>> >>
>>> >>
>>> >>
>>> >>---------------------------------------------------------------------
>>> >>To unsubscribe, e-mail:
>>> >><<m...@httpd.apache.org>mailto:users-unsubscribe@h 
>>> t 
>>> tpd.apache.org><ma...@httpd.apache.org>users-unsubscribe@httpd.apache.org
>>> >>For additional commands, e-mail:
>>> >><<m...@httpd.apache.org>mailto:users-help@httpd.apache.or 
>>> g  ><ma...@httpd.apache.org>users-help@httpd.apache.org
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: 
>>><ma...@httpd.apache.org>users-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: 
>>><ma...@httpd.apache.org>users-help@httpd.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [Apache] script alias

Posted by "Korey G." <ko...@awpg.com>.

But I see your point,
  it would be interesting to run some benchmarks on the theory,
I'll keep you updated,
-Korey


At 13:04 7/10/02 -0500, you wrote:
>I'm interested in your comment.  I'm thinking like a unix programmer. . .
>A symlink at the OS level seems more efficient than adding a logic instruction
>to a HLL program, i.e., the httpd server.  In other words, the httpd has 
>to go
>through some if-then-else gyrations that are otherwise implicit at the OS 
>level;
>therefore, why not use a symbolic link?  Additionally, you can set (i.e., 
>chmod)
>permissions at the file level, rather than deal with the httpd allow/deny 
>scenario,
>granted that there may be some message handlling advantages that I'm not
>taking into consideration.
>
>Ron W.
>>----- Original Message -----
>>From: <ma...@awpg.com>Korey G.
>>To: <ma...@httpd.apache.org>users@httpd.apache.org
>>Sent: Wednesday, July 10, 2002 3:45 PM
>>Subject: Re: [Apache] script alias
>>
>>no, because httpd.conf is tha bomb!
>>symbolic linkage is a cop out
>>
>>At 12:41 7/10/02 -0500, you wrote:
>> >Perhaps, create a symbolic link (assuming that you're runing on unix) to
>> >the abbreviated spelling?
>> >(. . .rather than deal with script aliases.)
>> >>----- Original Message -----
>> >>From: <<m...@swift-web.com>Jason
>> >>To: 
>> <<m...@httpd.apache.org>users@httpd.apache.org
>> >>Sent: Wednesday, July 10, 2002 12:22 PM
>> >>Subject: RE: [Apache] script alias
>> >>
>> >> > -> How do I make a script alias so that I can do this:
>> >> > ->
>> >> > -> pull up mydomain.com/script.cgi
>> >> > -> when its actually located
>> >> > -> in mydomain.com/cgi-bin/script.cgi
>> >> >
>> >> > why?
>> >>
>> >>I wondered the same thing only reducing it a bit further than the above
>> >>example.  My reasons were to shorten
>> >>domain.com/cgi-bin/webmailprogram.cgi
>> >>to
>> >>domain.com/webmail
>> >>
>> >>Is that possible and if so does it open up major security issues?
>> >>-Jay
>> >>
>> >>
>> >>
>> >>---------------------------------------------------------------------
>> >>To unsubscribe, e-mail:
>> >><<m...@httpd.apache.org>mailto:users-unsubscribe@ht 
>> tpd.apache.org><ma...@httpd.apache.org>users-unsubscribe@httpd.apache.org
>> >>For additional commands, e-mail:
>> >><<m...@httpd.apache.org>mailto:users-help@httpd.apache.org 
>>  ><ma...@httpd.apache.org>users-help@httpd.apache.org
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: 
>><ma...@httpd.apache.org>users-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: 
>><ma...@httpd.apache.org>users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [Apache] script alias

Posted by Ron Wingfield <rt...@archaxis.net>.

I'm interested in your comment.  I'm thinking like a unix programmer. . .
A symlink at the OS level seems more efficient than adding a logic instruction
to a HLL program, i.e., the httpd server.  In other words, the httpd has to go 
through some if-then-else gyrations that are otherwise implicit at the OS level;
therefore, why not use a symbolic link?  Additionally, you can set (i.e., chmod)
permissions at the file level, rather than deal with the httpd allow/deny scenario, 
granted that there may be some message handlling advantages that I'm not
taking into consideration.

Ron W.
  ----- Original Message ----- 
  From: Korey G. 
  To: users@httpd.apache.org 
  Sent: Wednesday, July 10, 2002 3:45 PM
  Subject: Re: [Apache] script alias


  no, because httpd.conf is tha bomb!
  symbolic linkage is a cop out

  At 12:41 7/10/02 -0500, you wrote:
  >Perhaps, create a symbolic link (assuming that you're runing on unix) to 
  >the abbreviated spelling?
  >(. . .rather than deal with script aliases.)
  >>----- Original Message -----
  >>From: <ma...@swift-web.com>Jason
  >>To: <ma...@httpd.apache.org>users@httpd.apache.org
  >>Sent: Wednesday, July 10, 2002 12:22 PM
  >>Subject: RE: [Apache] script alias
  >>
  >> > -> How do I make a script alias so that I can do this:
  >> > ->
  >> > -> pull up mydomain.com/script.cgi
  >> > -> when its actually located
  >> > -> in mydomain.com/cgi-bin/script.cgi
  >> >
  >> > why?
  >>
  >>I wondered the same thing only reducing it a bit further than the above
  >>example.  My reasons were to shorten
  >>domain.com/cgi-bin/webmailprogram.cgi
  >>to
  >>domain.com/webmail
  >>
  >>Is that possible and if so does it open up major security issues?
  >>-Jay
  >>
  >>
  >>
  >>---------------------------------------------------------------------
  >>To unsubscribe, e-mail: 
  >><ma...@httpd.apache.org>users-unsubscribe@httpd.apache.org
  >>For additional commands, e-mail: 
  >><ma...@httpd.apache.org>users-help@httpd.apache.org


  ---------------------------------------------------------------------
  To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
  For additional commands, e-mail: users-help@httpd.apache.org

Re: [Apache] script alias

Posted by Robert Andersson <ro...@profundis.nu>.

Look up ScriptAliasMatch:

http://httpd.apache.org/docs-2.0/mod/mod_alias.html#scriptaliasmatch

Does it do the trick?

Regards,
Robert Andersson

----- Original Message -----
From: "Jason" <ap...@swift-web.com>
To: <us...@httpd.apache.org>
Sent: Wednesday, July 10, 2002 7:57 PM
Subject: RE: [Apache] script alias


> > no, because httpd.conf is tha bomb!
> > symbolic linkage is a cop out
>
> So how does one make a configuration in httpd.conf to do an alias for
this.
> I tried the standard alias stuff and it didn't work but I'm guessing it's
> because it was for a file in a cgi-bin and other things needed to be
> altered.
>
> Any suggestions of what I should look for?
>
> Jay
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [Apache] script alias

Posted by Jason <ap...@swift-web.com>.

> no, because httpd.conf is tha bomb!
> symbolic linkage is a cop out

So how does one make a configuration in httpd.conf to do an alias for this.
I tried the standard alias stuff and it didn't work but I'm guessing it's
because it was for a file in a cgi-bin and other things needed to be
altered.

Any suggestions of what I should look for?

Jay



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [Apache] script alias

Posted by "Korey G." <ko...@awpg.com>.

no, because httpd.conf is tha bomb!
symbolic linkage is a cop out

At 12:41 7/10/02 -0500, you wrote:
>Perhaps, create a symbolic link (assuming that you're runing on unix) to 
>the abbreviated spelling?
>(. . .rather than deal with script aliases.)
>>----- Original Message -----
>>From: <ma...@swift-web.com>Jason
>>To: <ma...@httpd.apache.org>users@httpd.apache.org
>>Sent: Wednesday, July 10, 2002 12:22 PM
>>Subject: RE: [Apache] script alias
>>
>> > -> How do I make a script alias so that I can do this:
>> > ->
>> > -> pull up mydomain.com/script.cgi
>> > -> when its actually located
>> > -> in mydomain.com/cgi-bin/script.cgi
>> >
>> > why?
>>
>>I wondered the same thing only reducing it a bit further than the above
>>example.  My reasons were to shorten
>>domain.com/cgi-bin/webmailprogram.cgi
>>to
>>domain.com/webmail
>>
>>Is that possible and if so does it open up major security issues?
>>-Jay
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: 
>><ma...@httpd.apache.org>users-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: 
>><ma...@httpd.apache.org>users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [Apache] script alias

Posted by Ron Wingfield <rt...@archaxis.net>.

Perhaps, create a symbolic link (assuming that you're runing on unix) to the abbreviated spelling? 
(. . .rather than deal with script aliases.)
  ----- Original Message ----- 
  From: Jason 
  To: users@httpd.apache.org 
  Sent: Wednesday, July 10, 2002 12:22 PM
  Subject: RE: [Apache] script alias


  > -> How do I make a script alias so that I can do this:
  > ->
  > -> pull up mydomain.com/script.cgi
  > -> when its actually located
  > -> in mydomain.com/cgi-bin/script.cgi
  >
  > why?

  I wondered the same thing only reducing it a bit further than the above
  example.  My reasons were to shorten
  domain.com/cgi-bin/webmailprogram.cgi
  to
  domain.com/webmail

  Is that possible and if so does it open up major security issues?
  -Jay



  ---------------------------------------------------------------------
  To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
  For additional commands, e-mail: users-help@httpd.apache.org

RE: [Apache] script alias

Posted by Jason <ap...@swift-web.com>.

> -> How do I make a script alias so that I can do this:
> ->
> -> pull up mydomain.com/script.cgi
> -> when its actually located
> -> in mydomain.com/cgi-bin/script.cgi
>
> why?

I wondered the same thing only reducing it a bit further than the above
example.  My reasons were to shorten
domain.com/cgi-bin/webmailprogram.cgi
to
domain.com/webmail

Is that possible and if so does it open up major security issues?
-Jay



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [Apache] script alias

Posted by "Korey G." <ko...@awpg.com>.

Well thats besides the point,
  you can have many reasons to do that.
Linkage wise or whatever



At 19:06 7/10/02 +0200, you wrote:
>-> How do I make a script alias so that I can do this:
>->
>-> pull up mydomain.com/script.cgi
>-> when its actually located
>-> in mydomain.com/cgi-bin/script.cgi
>
>why?
>
>--
>  Matus "fantomas" Uhlar, uhlar@fantomas.sk ; http://www.fantomas.sk/
>  Warning: I don't wish to receive spam to this address.
>  Varovanie: Nezelam si na tuto adresu dostavat akukolvek reklamnu postu.
>  LSD will make your ECS screen display 16.7 million colors
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org