From 9dfa0c51eac97866078e808dec2183cb7871ff7c Mon Sep 17 00:00:00 2001
From: Konrad Pietrzak <konrad@erlang.org>
Date: Mon, 23 Mar 2026 14:43:35 +0100
Subject: [PATCH] inets: Check script_alias when using mod_auth

---
 lib/inets/doc/src/httpd.xml             |  4 ++++
 lib/inets/src/http_server/mod_alias.erl | 10 +++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/inets/doc/src/httpd.xml b/lib/inets/doc/src/httpd.xml
index 22c3b05a01af..897438fa8e8c 100644
--- a/lib/inets/doc/src/httpd.xml
+++ b/lib/inets/doc/src/httpd.xml
@@ -526,6 +526,10 @@ Transport: TLS
 
 	<p>Access to http://your.server.org/cgi-bin/foo would cause
 	the server to run the script /web/cgi-bin/foo.</p>
+        <note><p>When using <c>script_alias</c> with directory-based authentication
+            <seeerl marker="#prop_dri">directory</seeerl>, ensure that authentication
+            rules reference the actual filesystem path (RealName), not the URL path (Alias).
+            The server correctly resolves script_alias paths for authentication checks.</p></note>
       </item>
 
       <tag><marker id="prop_script_re_write"></marker>{script_re_write, {Re, Replacement}}</tag>
diff --git a/lib/inets/src/http_server/mod_alias.erl b/lib/inets/src/http_server/mod_alias.erl
index b310a7c909d0..67041ae516bf 100644
--- a/lib/inets/src/http_server/mod_alias.erl
+++ b/lib/inets/src/http_server/mod_alias.erl
@@ -251,6 +251,13 @@ store({re_write, {Re, Replacement}} = Conf, _)
     end;
 store({re_write, _} = Conf, _) ->
     {error, {wrong_type, Conf}};
+
+% When `script_alias` is used in conjunction with `m:mod_auth` for directory-based
+% access control, authentication rules are evaluated against the actual filesystem
+% path where scripts reside, not the aliased URL path. This ensures that CGI scripts
+% mapped outside the document root are properly protected by directory authentication
+% directives.
+
 store({script_alias, {Fake, Real}}, _)
   when is_list(Fake), is_list(Real) ->
     {ok, {script_alias,{"^"++Fake,Real}}};
@@ -281,7 +288,8 @@ is_directory_index_list(_) ->
 %% ---------------------------------------------------------------------
 
 which_alias(ConfigDB) ->
-    httpd_util:multi_lookup(ConfigDB, alias). 
+    httpd_util:multi_lookup(ConfigDB, alias) ++
+        httpd_util:multi_lookup(ConfigDB, script_alias).
 
 which_server_name(ConfigDB) ->
     httpd_util:lookup(ConfigDB, server_name).