Re: partial URLs ?

Mike Meyer ([email protected])
Thu, 21 Dec 1995 09:23:56 PST


> Yes, "/../" is a unixism, but the path part of a URL is inherently
> platform specific. I see URLs with "\" in them for DOS-type hosts, and
> "\..\" is just as much of a problem--maybe more because of the lack
> of permissions-bits in most DOSish OSs. The code I've seen that 403s
> these things checks for the ".." and that seems to be a pretty
> universal string for "go up a level in the file system", or do you
> know of an OS with more than 3 servers on the net that doesn't work
> that way?

Do you know of any other OS that *does* work that way? If not, then
pretty much every platform on the net except Unix and Dos based ones
qualify. I've seen numerous claims that the most common server on the
is running on neither Unix nor DOS. Of course, server authors for
those platforms will probably just ignore this restriction, as they
have no reason to deal with it.

> (side note: MS has implemented "..." and "...." in Win95 for
> referencing up two- and three- levels respectively. I don't know about
> NT, but if it's not in there now it soon will be. A check for ".."
> would obviously catch this as well.)

So you're arguing that the string ".." anywhere in the path - not just
as a path componenet - ought to be illegal? Is there any point in this
other than letting incompetent programmers blame the client if their
system is broken into?

Seriously, what is the point of this? Competent programmers on boxes
that add special meaning to any path component will deal with it in
the server whether it's illegal or not. Making it illegal isn't any
more likely to make incompetent programmers check for it than a
warning. Programmers for other boxes will ignore it. Should clients
refuse to send it if it shows up in a document? Should your email
address show up in the error message so users can go direct to you for
an explanation?

<mike