Mailing List Archive

default conf and ScriptAlias
Relative to the recent CVEs, should we replace ScriptAlias in the
default conf with Alias + SetHandler cgi-script in the corresponding
Directory section?

And .. should ScriptAlias be deprecated/discouraged in some way if the
expanded version is safer by avoiding the equivalent of setting the
handler in Location vs. Directory?

I am assuming it is not possible/feasible to make ScriptAlias just
work as if it was in the 2nd arguments Directory config.

--
Eric Covener
covener@gmail.com
Re: default conf and ScriptAlias [ In reply to ]
On 10/10/2021 03:39, Eric Covener wrote:

> Relative to the recent CVEs, should we replace ScriptAlias in the
> default conf with Alias + SetHandler cgi-script in the corresponding
> Directory section?
>
> And .. should ScriptAlias be deprecated/discouraged in some way if the
> expanded version is safer by avoiding the equivalent of setting the
> handler in Location vs. Directory?
>
> I am assuming it is not possible/feasible to make ScriptAlias just
> work as if it was in the 2nd arguments Directory config.

-1

You are talking about changing a httpd life long option, thats used in
millions of settings around the world.

Scriptalias setting is not used in any directory setting in my case, its
used in a global way

DocumentRoot "/var/www/html"

<Directory "/var/www">
AllowOverride None
Options SymlinksIfOwnerMatch
Require all granted
</Directory>

Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
AllowOverride None
Require all granted
</Directory>

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>

and more globally used in every service provider i've been at (not all
my doing but end result is identical) inside virtual hosts confs

<VirtualHost xxxxxxxxxx >
ServerName xxxxxxx
ServerAlias www.xxxxxxxx
DocumentRoot /var/www/vhost/xxxxxxx/www/html
ScriptAlias /cgi-bin/ /var/www/vhost/xxxxxxxxx/www/cgi-bin/

...snip...

</VirtualHost>

This is how every person expects it.

So you want to go make that more convoluted?

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.
Re: default conf and ScriptAlias [ In reply to ]
… both +1 and -1.

A change in version number or major version can imply significant changes in the base configuration, and I see this suggestion as a fit for a httpd-2.5, -3.0 or the likes. Hence, +1.

However changing such widely used setting on the existing 10 year old 2.4 tree will cause operators headaches as the one outlined by Noel - more so as this setting is there for way longer than 2.4 and therefore -1.

Alex

> On Oct 9, 2021, at 20:30, Noel Butler <noel.butler@ausics.net> wrote:
>
> ?
>>
>> On 10/10/2021 03:39, Eric Covener wrote:
>>
>> Relative to the recent CVEs, should we replace ScriptAlias in the
>> default conf with Alias + SetHandler cgi-script in the corresponding
>> Directory section?
>>
>> And .. should ScriptAlias be deprecated/discouraged in some way if the
>> expanded version is safer by avoiding the equivalent of setting the
>> handler in Location vs. Directory?
>>
>> I am assuming it is not possible/feasible to make ScriptAlias just
>> work as if it was in the 2nd arguments Directory config.
>
> -1
>
>
>
> You are talking about changing a httpd life long option, thats used in millions of settings around the world.
>
> Scriptalias setting is not used in any directory setting in my case, its used in a global way
>
> DocumentRoot "/var/www/html"
>
> <Directory "/var/www">
> AllowOverride None
> Options SymlinksIfOwnerMatch
> Require all granted
> </Directory>
>
> Alias /icons/ "/var/www/icons/"
>
> <Directory "/var/www/icons">
> AllowOverride None
> Require all granted
> </Directory>
>
> ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
>
> <Directory "/var/www/cgi-bin">
> AllowOverride None
> Options None
> Require all granted
> </Directory>
>
>
>
> and more globally used in every service provider i've been at (not all my doing but end result is identical) inside virtual hosts confs
>
> <VirtualHost xxxxxxxxxx >
> ServerName xxxxxxx
> ServerAlias www.xxxxxxxx
> DocumentRoot /var/www/vhost/xxxxxxx/www/html
> ScriptAlias /cgi-bin/ /var/www/vhost/xxxxxxxxx/www/cgi-bin/
>
> ...snip...
>
> </VirtualHost>
>
> This is how every person expects it.
>
> So you want to go make that more convoluted?
>
>
>
> --
> Regards,
> Noel Butler
>
> This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
>
>
Re: default conf and ScriptAlias [ In reply to ]
On Sat, Oct 9, 2021 at 8:30 PM Noel Butler <noel.butler@ausics.net> wrote:

> On 10/10/2021 03:39, Eric Covener wrote:
>
> Relative to the recent CVEs, should we replace ScriptAlias in the
> default conf with Alias + SetHandler cgi-script in the corresponding
> Directory section?
>
> And .. should ScriptAlias be deprecated/discouraged in some way if the
> expanded version is safer by avoiding the equivalent of setting the
> handler in Location vs. Directory?
>
> I am assuming it is not possible/feasible to make ScriptAlias just
> work as if it was in the 2nd arguments Directory config.
>
> -1
>
> You are talking about changing a httpd life long option, thats used in
> millions of settings around the world.
>
I'm talking about removing it from the default configuration file and
marking it as deprecated.
I don't see a negative impact to users with their own configuration (not
changed) or users
with our default configuration (since the alternative does the same thing
aside from unexpected
results where the same Location is mapped to a file in an unintended
location)

This is how every person expects it.
>
> So you want to go make that more convoluted?
>

I don't think Alias + "SetHandler cgi-script" in the default configuration
is any more convoluted, given there's already a corresponding Directory
section.
You could even argue it's conceptually simpler.
Re: default conf and ScriptAlias [ In reply to ]
On 10/10/2021 11:07, Eric Covener wrote:

> I'm talking about removing it from the default configuration file and
> marking it as deprecated.
> I don't see a negative impact to users with their own configuration
> (not changed) or users
> with our default configuration (since the alternative does the same
> thing aside from unexpected
> results where the same Location is mapped to a file in an unintended
> location)
>
>> This is how every person expects it.
>>
>> So you want to go make that more convoluted?
>
> I don't think Alias + "SetHandler cgi-script" in the default
> configuration is any more convoluted, given there's already a
> corresponding Directory section.
> You could even argue it's conceptually simpler.

OK... I must be missing something here or interpreting what you are
suggesting, well, it is Sunday morning...

You want to nuke ScriptAlias which itself is not used in a <directory>
(not that I've ever seen, and a quick google for 15 mins or so shows all
these how to configure isp web servers blogs, and none of them seem to
either)

Then how do you propose those using it, as lets say in my example, set
the cgi directory for that vhost? Which could be any name, in any
location depending on how said shared host servers are setup, I use
/var/www/vhost/domain/www/cgi-bin but previous employers have used
/var/www/domain/cgi or /www/domains/cgi-bin and /vhosts/substr0
domain/substr1 domain/domain/cgi-bin ...

We all run it differently, there is no hard set in stone locations for a
virtual hosts docroot or scriptalias, it is dangerous to deprecate it,
since that essentially implies its gone.

ScriptAlias's purpose is to say hey httpd, our https://domain/cgi-bin/
directory is really here on the filesystem at /var/www/cgi-bin/

Its simple and works for decades, if you feel its not sure and needs
replacing with other commands, the code for other commands should be
internally called by ScriptAlias directive

--
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.
Re: default conf and ScriptAlias [ In reply to ]
> Then how do you propose those using it, as lets say in my example, set the cgi directory for that vhost?

They can keep using it, get the equivalent function from a default
configuration and never be the wiser, or use/change to Alias + an
explicit SetHandler and Options.
Most default configurations already have both the ScriptAlias and a
Directory section that matches the 2nd argument of the ScriptAlias.

> ScriptAlias's purpose is to say hey httpd, our https://domain/cgi-bin/ directory is really here on the filesystem at /var/www/cgi-bin/
> Its simple and works for decades, if you feel its not sure and needs replacing with other commands, the code for other commands should be internally called by ScriptAlias directive

As the manual says, ScriptAlias is equivalent to (syntactic sugar for):

Alias "/cgi-bin/" "/web/cgi-bin/"
<Location "/cgi-bin">
SetHandler cgi-script
Options +ExecCGI
</Location>

Rather than

Alias "/cgi-bin/" "/web/cgi-bin/"
<Directory "/web/cgi-bin">
SetHandler cgi-script
Options +ExecCGI
</Directory>

Generically, we tell people to use Directory sections when they think
they're working with filesystem content so some unexpected URL to
filesystem mapping can't have an unexpected result.
ScriptAlias subtly exposes you to this same kind of problem for
marking resources to be interpreted as CGI.