Re: partial URLs ? (was <p> ... </p>)

BearHeart/Bill Weinman (
Wed, 20 Dec 1995 12:33:11 -0600

Date: Wed, 20 Dec 1995 12:33:11 -0600
Message-Id: <>
To: "Daniel W. Connolly" <>
From: BearHeart/Bill Weinman <>
Subject: Re: partial URLs ? (was <p> ... </p>) 

>At 10:24 am 12/20/95 -0500, Daniel W. Connolly wrote:
>>In message <>, Jon Wallis writes:
>>>At 13:19 19/12/95 -0600, BearHeart/Bill Weinman wrote:
>>>>At 10:40 am 12/19/95 -0800, Walter Ian Kaye wrote:
>>>><A HREF="../map.html"><IMG SRC="../gifs/btnmap3.gif" ALT="[Index]"
>>>   The problem with the parial URLs may be the "../" references. 
>>>   Some servers, and perhaps some browsers too, disallow them because 
>>>they've been abused to get around security measures. 

>I think there are two issues that are getting confused here:
>	(1) whether it's OK to use ../../ in an HREF or SRC attribute
>	in an HTML document,
>	(2) whether it's OK to _send_ ../../ in the path field of
>	and HTTP request.

>(1) is cool, (2) is not.

   Question: if (1) is cool, and (2) ain't, howz the browser supposed 
to deal with (1) without, at least sometimes, creating (2)?

>	GET /../../../../etc/passwd HTTP/1.0
>	Accept: text/plain

   Thanks for clearing this up, Dan. You stated it much more 
lucidly than I did. 

>In stead, any server that sees /../ in the HTTP path is supposed to
>issue a 403 Unauthorized response. (Is this in the HTTP specs somewhere?
>YIKES! I can't find it in draft-ietf-http-v10-spec-02.txt!!!

   I have a copy of ...spec-04 and it's not in there either. But, 
you're right it should be.  (and 403 is "Forbidden" which is where 
this ought to fall.)

 * BearHeart / Bill Weinman 
 * *            * *
 * Author of The CGI Book:    * *
 * Trust everyone, but brand your cattle.