Re: partial URLs ? (was <p> ... </p>)

BearHeart/Bill Weinman ([email protected])
Wed, 20 Dec 1995 12:33:11 -0600


>At 10:24 am 12/20/95 -0500, Daniel W. Connolly wrote:
>>In message <[email protected]>, Jon Wallis writes:
>>>At 13:19 19/12/95 -0600, BearHeart/Bill Weinman wrote:
>>>>At 10:40 am 12/19/95 -0800, Walter Ian Kaye wrote:
>>>><A HREF="../map.html"><IMG SRC="../gifs/btnmap3.gif" ALT="[Index]"
>>> The problem with the parial URLs may be the "../" references.
>>> Some servers, and perhaps some browsers too, disallow them because
>>>they've been abused to get around security measures.

>I think there are two issues that are getting confused here:
> (1) whether it's OK to use ../../ in an HREF or SRC attribute
> in an HTML document,
> (2) whether it's OK to _send_ ../../ in the path field of
> and HTTP request.

>(1) is cool, (2) is not.

Question: if (1) is cool, and (2) ain't, howz the browser supposed
to deal with (1) without, at least sometimes, creating (2)?

> GET /../../../../etc/passwd HTTP/1.0
> Accept: text/plain

Thanks for clearing this up, Dan. You stated it much more
lucidly than I did.

>In stead, any server that sees /../ in the HTTP path is supposed to
>issue a 403 Unauthorized response. (Is this in the HTTP specs somewhere?
>YIKES! I can't find it in draft-ietf-http-v10-spec-02.txt!!!

I have a copy of ...spec-04 and it's not in there either. But,
you're right it should be. (and 403 is "Forbidden" which is where
this ought to fall.)

+----------------------------------------------------------------------+
* BearHeart / Bill Weinman
* [email protected] * * http://www.bearnet.com/ *
* Author of The CGI Book: * http://www.bearnet.com/cgibook/ *
* Trust everyone, but brand your cattle.