Randal L. Schwartz:
: I'm not sure why people are still so entranced by the use of the
: word "ScriptAlias". Not to mention that ScriptAlias is something
: only the webmaster can edit, not general users, since it's illegal
: to use in an .htaccess file.
: ...
: So, for example, if you wanted ~merlyn/cgi to be a cgi-bin, simply:
[incantation omitted]
: And like magic, it's a CGI bin!
And like magic, you've opened up a potential security hole, because
you're allowing "general users" who probably know zip about web
security to create CGI areas that you (the webmaster) don't know
about.
I'd prefer not to let people run code on my server unless I have the
chance to review it. That means I have to know where it is. Can't do
that if everyone's creating their own CGI directories.
ScriptAlias also provides the webmaster with some configuration
control. It's nice to know that if something changes- Perl 6 gets
installed, say ;)- you know where the things are that will be
affected.
The situation may be different for an ISP, but my web server has a
specific operational purpose, and in that case, I see nothing wrong
with exercising a little control.
-- tdk
