Re: partial URLs ? (was

Mike Meyer ([email protected])
Thu, 21 Dec 1995 11:16:07 PST


> >It would, of course, be quite reasonable for the HTTP spec to have
> >a UNIX-centric warning to implementors that they should make this
> >string illegal for their implementation (or risk the consequences).
>
> And by the same token, a warning that URL paths are not file system paths,
> regardless of the one to one mapping in many servers.

Actually, the warning doesn't have to be unix centric. It can also
imply the warning about file systems at the same time. Suggested
wording:

While URLs paths are not file system paths, they may be
implemented as such. If this is the case, any path components
that have a meaning other than "descend into the named
directory" in the file system should be examined for possibly
security problems and disallowed if there are any. For example,
".." as a path component on Unix and MS-DOS means to go up one
directory level, which can potentially access files outside
the server tree, and should thus be disallowed.

See - it has a non-Unix-centric warning, a warning that URLs are not
file paths, and mentions ".." explicitly.

<mike