Re: partial URLs ?

BearHeart/Bill Weinman ([email protected])
Wed, 20 Dec 1995 21:48:29 -0600


(I got four copies of this message!! I have no idea why that happened.
<sigh> The Mail Gods must have been upset by my rant.)

At 09:13 pm 12/20/95 -0600, Chuck Shotton wrote:
>The most important thing to remember is that this type of URL syntax only
>has meaning to WWW clients. HTTP servers always receive the complete path
>so all of this relative URL stuff is client-only. If clients are
>interpreting the ".." above the root of the doc tree, you should be very
>worried because they know something about your server that the server
>didn't tell them.

>If you are worried about encoded ".." characters in a URL, then that is
>strictly a server side problem and the server author should be spanked for
>not checking.

I think your assumption is in error.

I have a little testing-server I wrote so I could see how
different browsers act about stuff. It logs the entire conversation.
(It's really usefull--it'll be in my book.)

I typed this into Netscape: http://luna:8080/../../../etc/passwd

I got this in my log . . .

GET /../../../etc/passwd HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/2.0b3 (Win95; I)
Host: luna:8080
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

370 Request: GET /../../../etc/passwd
370 403 Forbidden (/../../../etc/passwd contains go-back)

So it's not just a client problem . . . the client blindly sends
that request to the server. The server MUST deal with this, and as
you can see, it MUST disallow it.

(OTOH, I could have sent that request just as easily from telnet,
and chances are that someone trying to break into a system would not
be using Netscape anyway.)

Personally, I think 403 is the appropriate message. If someone
is doing a Bad Thing, an ambiguous message adds nothing to the
security--they know what they're trying to do. And if they aren't
malevolent then there's no valid reason to be ambiguous.

Of course, a 603 Scatalogical message would be okay too! ;^)

(I think I'll put one in my mini-server. <bg>)

+----------------------------------------------------------------------+
* BearHeart / Bill Weinman
* [email protected] * * http://www.bearnet.com/ *
* Author of The CGI Book: * http://www.bearnet.com/cgibook/ *
* Sex is dirty. So save it for someone you love.