Date: Wed, 20 Dec 1995 21:48:29 -0600 Message-Id: <199512210348.VAA08895@primus.paranoia.com> To: firstname.lastname@example.org, email@example.com From: BearHeart/Bill Weinman <BearHeart@bearnet.com> Subject: Re: partial URLs ? (I got four copies of this message!! I have no idea why that happened. <sigh> The Mail Gods must have been upset by my rant.) At 09:13 pm 12/20/95 -0600, Chuck Shotton wrote: >The most important thing to remember is that this type of URL syntax only >has meaning to WWW clients. HTTP servers always receive the complete path >so all of this relative URL stuff is client-only. If clients are >interpreting the ".." above the root of the doc tree, you should be very >worried because they know something about your server that the server >didn't tell them. >If you are worried about encoded ".." characters in a URL, then that is >strictly a server side problem and the server author should be spanked for >not checking. I think your assumption is in error. I have a little testing-server I wrote so I could see how different browsers act about stuff. It logs the entire conversation. (It's really usefull--it'll be in my book.) I typed this into Netscape: http://luna:8080/../../../etc/passwd I got this in my log . . . GET /../../../etc/passwd HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/2.0b3 (Win95; I) Host: luna:8080 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* 370 Request: GET /../../../etc/passwd 370 403 Forbidden (/../../../etc/passwd contains go-back) So it's not just a client problem . . . the client blindly sends that request to the server. The server MUST deal with this, and as you can see, it MUST disallow it. (OTOH, I could have sent that request just as easily from telnet, and chances are that someone trying to break into a system would not be using Netscape anyway.) Personally, I think 403 is the appropriate message. If someone is doing a Bad Thing, an ambiguous message adds nothing to the security--they know what they're trying to do. And if they aren't malevolent then there's no valid reason to be ambiguous. Of course, a 603 Scatalogical message would be okay too! ;^) (I think I'll put one in my mini-server. <bg>) +----------------------------------------------------------------------+ * BearHeart / Bill Weinman * BearHeart@bearnet.com * * http://www.bearnet.com/ * * Author of The CGI Book: * http://www.bearnet.com/cgibook/ * * Sex is dirty. So save it for someone you love.