URI security

Paul Phillips ([email protected])
Fri, 28 Apr 1995 20:27:18 +0500


Upon whom does the responsibility lie for avoiding ".." in request
pathnames? Would a server that rejects any URL request with ".." in it be
non-compliant? It's my (limited) understanding that the client is
supposed to take care of this, i.e. if I have a page like so:

/foo/bar.html:

<A HREF="../baz.html">Baz</A>

The client should issue that request as /baz.html rarther than
/foo/../baz.html. Is this codified anywhere? I don't like the server
overhead of doing .. translations, I'd rather reject it out of hand, if I
can.

--
Paul Phillips                                 EMAIL: [email protected]  
WWW: http://www.primus.com/staff/paulp/       PHONE: (619) 220-0850