- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 27 May 2008 15:33:19 -0700
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- CC: "WAF WG (public)" <public-appformats@w3.org>
Bjoern Hoehrmann wrote:
>> Not really sure how to fix this short of disabling the whole
>> Access-Control-Policy-Path feature. Especially if we assume that there
>> are other canonicalization behaviors out there as well.
>
> That would be a safe bet, for example, an Apache configuration like:
>
> RewriteCond %{QUERY_STRING} for=([^&;]+)
> RewriteRule ^apis/search /scripts/%1.php [L]
>
> would map /apis/search?for=images to /scripts/images.php, but would
> also map /apis/search?for=../admin/example to /admin/example.php in-
> ternally, so posting to one would be like posting to the other. There
> http://www.google.com/codesearch?q=query_string+rewriterule.*%251 are
> quite a few techniques similar to this in use.
I'm less concerned about this since this is much less likely to happen
than someone simply using IIS.
It is also arguable that this is simply how the server internally
produces the resource for the API. I.e. it's not that different from if
the server had a CGI on /apis/search that executed various server side
executables based on the 'for' parameter.
/ Jonas
Received on Tuesday, 27 May 2008 22:36:14 UTC