Re: partial URLs ? (was

Mike Meyer (mwm@contessa.phone.net)
Tue, 12 Dec 1995 13:59:37 PST


Subject:  Re: partial URLs ? (was
In-Reply-To: <199512201948.OAA17715@age.cs.columbia.edu>
From: mwm@contessa.phone.net (Mike Meyer)
Date: Tue, 12 Dec 1995 13:59:37 PST
Message-Id: <19951212.7B4D9E8.CC13@contessa.phone.net>
To: www-html@w3.org

> I like Dan Connolly's response that a well-behaved Client should NOT
> request any URL with ../ in it because it may get a 403 response.

I don't like that argument (and I didn't see it from Dan) - it's very
Unix-centric, and doesn't generalize. After all, if you can't use some
string in a URL because it MAY get a 403 response, then I can add a
single line to my server config that would imply you shouldn't use any
text string in a URL.

What behavior did Dan (or you) recommend if I type in a URL with a
"../" in it by hand? Not doing what the user asked you to to avoid
vague security problems on someone else's machine is pretty clearly
broken. Escaping the URL is acceptable, and might even produce the
correct results.

	<mike