W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

(SECFILE) Consensus

From: <jg@w3.org>
Date: Tue, 26 Mar 96 17:58:30 -0500
Message-Id: <9603262258.AA07621@zorch.w3.org>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

The following was added to the 1.0 document after the last
1.1 draft and needs to be added into the 1.1 document in section 14 
(Security Considerations).

Unless I hear complaint, the same will be added to the 1.1 draft.
				- Jim


Add subsection to section 14: (Security Considerations)

Attacks Based On File and Path Names

Implementations of HTTP origin servers should be careful to restrict
the documents returned by HTTP requests to be only those that were
intended by the server administrators. If an HTTP server translates
HTTP URIs directly into file system calls, the server must take special
care not to serve files that were not intended to be delivered to HTTP
clients. For example, Unix, Microsoft Windows, and other operating
systems use ".." as a path component to indicate a directory level above
the current one. On such a system, an HTTP server must disallow any
such construct in the Request-URI if it would otherwise allow access
to a resource outside those intended to be accessible via the HTTP
server. Similarly, files intended for reference only internally to the
server (such as access control files, configuration files, and script code)
must be protected from inappropriate retrieval, since they might
contain sensitive information. Experience has shown that minor bugs
in such HTTP server implementations have turned into security risks.
Received on Tuesday, 26 March 1996 15:02:52 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:49 EDT