--- mod_vhost_alias.c   2008-09-28 17:06:52.000000000 -0700
+++ mod_vhost_alias_mine.c      2008-09-28 17:02:51.000000000 -0700
@@ -37,7 +37,7 @@
 #include "apr_strings.h"
 #include "apr_hooks.h"
 #include "apr_lib.h"
-
+#include <unistd.h>
 #define APR_WANT_STRFUNC
 #include "apr_want.h"

@@ -250,7 +250,7 @@
     }
 }

-static void vhost_alias_interpolate(request_rec *r, const char *name,
+static int vhost_alias_interpolate(request_rec *r, const char *name,
                                     const char *map, const char *uri)
 {
     /* 0..9 9..0 */
@@ -372,12 +372,19 @@
         ++uri;
     }

+    /* Check accessibility of transformed directory path */
+    if(access(buf, R_OK)) {
+        return 0;
+    }
+
     if (r->filename) {
         r->filename = apr_pstrcat(r->pool, r->filename, buf, uri, NULL);
     }
     else {
         r->filename = apr_pstrcat(r->pool, buf, uri, NULL);
     }
+
+    return 1;
 }

 static int mva_translate(request_rec *r)
@@ -426,7 +433,8 @@
      * canonical_path buffer.
      */
     r->canonical_filename = "";
-    vhost_alias_interpolate(r, name, map, uri);
+    if(!vhost_alias_interpolate(r, name, map, uri))
+       return DECLINED;

     if (cgi) {
         /* see is_scriptaliased() in mod_cgi */