>I think there are two issues that are getting confused here:
> (1) whether it's OK to use ../../ in an HREF or SRC attribute
> in an HTML document,
> (2) whether it's OK to _send_ ../../ in the path field of
> and HTTP request.
>(1) is cool, (2) is not.
Question: if (1) is cool, and (2) ain't, howz the browser supposed
to deal with (1) without, at least sometimes, creating (2)?
> GET /../../../../etc/passwd HTTP/1.0
> Accept: text/plain
Thanks for clearing this up, Dan. You stated it much more
lucidly than I did.
>In stead, any server that sees /../ in the HTTP path is supposed to
>issue a 403 Unauthorized response. (Is this in the HTTP specs somewhere?
>YIKES! I can't find it in draft-ietf-http-v10-spec-02.txt!!!
I have a copy of ...spec-04 and it's not in there either. But,
you're right it should be. (and 403 is "Forbidden" which is where
this ought to fall.)
+----------------------------------------------------------------------+
* BearHeart / Bill Weinman
* [email protected] * * http://www.bearnet.com/ *
* Author of The CGI Book: * http://www.bearnet.com/cgibook/ *
* Trust everyone, but brand your cattle.