W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1995

Re: partial URLs ? (was

From: Daniel W. Connolly <connolly@beach.w3.org>
Date: Wed, 20 Dec 1995 13:27:49 -0500
Message-Id: <m0tSTEz-0002UXC@beach.w3.org>
To: Mike Meyer <mwm@contessa.phone.net>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
In message <19951212.79A6B78.8840@contessa.phone.net>, Mike Meyer writes:
>
>Yes, having ".." (or "") as a path component creates interesting
>problems in writing relative URLs, and is probably a bad idea on any
>server. Yes, an attempt to access "../../../../etc/passwd" is probably
>someone trying to break into the system. However, it's up to the
>people running the server, not the spec, to decide what is and is not
>a security problem and deal with them.

It _is_ "up to the spec" to make implementors aware of such issues.
That's why SECURITY CONSIDERATIONS is mandatory in all RFCs, no?


(I agree that returning 403 on seeing /../ is a should, not a must)

Dan
Received on Wednesday, 20 December 1995 10:31:45 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:37 EDT