Re: partial URLs ? (was <p> ... </p>)

BearHeart/Bill Weinman (BearHeart@bearnet.com)
Wed, 20 Dec 1995 14:43:18 -0600


Date: Wed, 20 Dec 1995 14:43:18 -0600
Message-Id: <199512202043.OAA04050@primus.paranoia.com>
To: www-html@w3.org
From: BearHeart/Bill Weinman <BearHeart@bearnet.com>
Subject: Re: partial URLs ? (was <p> ... </p>)

At 03:24 pm 12/20/95 -0500, tritan@agora.com wrote:
>
>| >In stead, any server that sees /../ in the HTTP path is supposed to
>| >issue a 403 Unauthorized response. (Is this in the HTTP specs somewhere?
>| >YIKES! I can't find it in draft-ietf-http-v10-spec-02.txt!!!
>| 
>|    I have a copy of ...spec-04 and it's not in there either. But, 
>| you're right it should be.  (and 403 is "Forbidden" which is where 
>| this ought to fall.)
>
>Why should that have to be in the spec?
>
>A server can legally say that you are forbidden to view any file it so
>chooses based on any criteria it want to, no? (eg. who you are, what
>you requested, time of day, phase of the moon...)
>
>Therefore it is already reasonable for a server to refuse to serve you
>/../../etc/password. On the other hand, if I *want* to let you look at
>my entire disk, including /etc/password, I should be allowed to write
>a server that does so, no? My point is that the spec should be
>minimalist in telling me what I should let users do.

   The spec has to make security precautions where reasonable if 
we expect a broad implementation of a standard. It's part of the 
IETF process. 

   If you want to make your whole disk accessable to the world, then 
you still can, within the spec, point your document root at "/".

   If you only want to make, say, "/etc", available you can do 
that with a symbolic link. 

>is really necessarily true. Perhaps it makes more sense to return an
>"I don't know what you want (invalid request)" type error code rather
>than "Forbidden" which implies that I know what you want, but you
>aren't allowed to look there.

   The idea of "403 Forbidden" is to say "no need to try that again 
because it doesn't work and it never will". 


+----------------------------------------------------------------------+
 * BearHeart / Bill Weinman 
 * BearHeart@bearnet.com *            * http://www.bearnet.com/ *
 * Author of The CGI Book:    * http://www.bearnet.com/cgibook/ *
 * Trust everyone, but brand your cattle.