From 9dfa0c51eac97866078e808dec2183cb7871ff7c Mon Sep 17 00:00:00 2001
From: Konrad Pietrzak <konrad@erlang.org>
Date: Mon, 23 Mar 2026 14:43:35 +0100
Subject: [PATCH] inets: Check script_alias when using mod_auth

---
 lib/inets/doc/src/httpd.xml             |  4 ++++
 lib/inets/src/http_server/mod_alias.erl | 10 +++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

Index: otp-OTP-23.3.4.19/lib/inets/doc/src/httpd.xml
===================================================================
--- otp-OTP-23.3.4.19.orig/lib/inets/doc/src/httpd.xml
+++ otp-OTP-23.3.4.19/lib/inets/doc/src/httpd.xml
@@ -527,6 +527,10 @@ Transport: TLS
 	
 	<p>Access to http://your.server.org/cgi-bin/foo would cause
 	the server to run the script /web/cgi-bin/foo.</p>
+        <note><p>When using <c>script_alias</c> with directory-based authentication
+            <seeerl marker="#prop_dri">directory</seeerl>, ensure that authentication
+            rules reference the actual filesystem path (RealName), not the URL path (Alias).
+            The server correctly resolves script_alias paths for authentication checks.</p></note>
       </item>
       
       <tag><marker id="prop_script_re_write"></marker>{script_re_write, {Re, Replacement}}</tag>
Index: otp-OTP-23.3.4.19/lib/inets/src/http_server/mod_alias.erl
===================================================================
--- otp-OTP-23.3.4.19.orig/lib/inets/src/http_server/mod_alias.erl
+++ otp-OTP-23.3.4.19/lib/inets/src/http_server/mod_alias.erl
@@ -246,6 +246,13 @@ store({re_write, {Re, Replacement}} = Co
     end;
 store({re_write, _} = Conf, _) ->
     {error, {wrong_type, Conf}};
+
+% When `script_alias` is used in conjunction with `m:mod_auth` for directory-based
+% access control, authentication rules are evaluated against the actual filesystem
+% path where scripts reside, not the aliased URL path. This ensures that CGI scripts
+% mapped outside the document root are properly protected by directory authentication
+% directives.
+
 store({script_alias, {Fake, Real}} = Conf, _) 
   when is_list(Fake), is_list(Real) ->
     {ok, Conf};
@@ -273,7 +280,8 @@ is_directory_index_list(_) ->
 %% ---------------------------------------------------------------------
 
 which_alias(ConfigDB) ->
-    httpd_util:multi_lookup(ConfigDB, alias). 
+    httpd_util:multi_lookup(ConfigDB, alias) ++
+        httpd_util:multi_lookup(ConfigDB, script_alias).
 
 which_server_name(ConfigDB) ->
     httpd_util:lookup(ConfigDB, server_name).