Re: partial URLs ? from BearHeart/Bill Weinman on 1995-12-21 (www-html@w3.org from December 1995)

From: BearHeart/Bill Weinman <BearHeart@bearnet.com>
Date: Wed, 20 Dec 1995 21:48:29 -0600
To: www-html@w3.org, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199512210348.VAA08895@primus.paranoia.com>

  (I got four copies of this message!! I have no idea why that happened. 
<sigh> The Mail Gods must have been upset by my rant.)

At 09:13 pm 12/20/95 -0600, Chuck Shotton wrote:
>The most important thing to remember is that this type of URL syntax only
>has meaning to WWW clients. HTTP servers always receive the complete path
>so all of this relative URL stuff is client-only. If clients are
>interpreting the ".." above the root of the doc tree, you should be very
>worried because they know something about your server that the server
>didn't tell them.

>If you are worried about encoded ".." characters in a URL, then that is
>strictly a server side problem and the server author should be spanked for
>not checking.

   I think your assumption is in error. 

   I have a little testing-server I wrote so I could see how 
different browsers act about stuff. It logs the entire conversation. 
(It's really usefull--it'll be in my book.)

   I typed this into Netscape:  http://luna:8080/../../../etc/passwd

   I got this in my log . . . 

GET /../../../etc/passwd HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/2.0b3 (Win95; I)
Host: luna:8080
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

370 Request: GET /../../../etc/passwd
370 403 Forbidden (/../../../etc/passwd contains go-back)

   So it's not just a client problem . . . the client blindly sends 
that request to the server. The server MUST deal with this, and as 
you can see, it MUST disallow it. 

   (OTOH, I could have sent that request just as easily from telnet, 
and chances are that someone trying to break into a system would not 
be using Netscape anyway.) 

   Personally, I think 403 is the appropriate message. If someone 
is doing a Bad Thing, an ambiguous message adds nothing to the 
security--they know what they're trying to do. And if they aren't 
malevolent then there's no valid reason to be ambiguous. 

   Of course, a 603 Scatalogical message would be okay too! ;^) 

   (I think I'll put one in my mini-server. <bg>)

+----------------------------------------------------------------------+
 * BearHeart / Bill Weinman 
 * BearHeart@bearnet.com *            * http://www.bearnet.com/ *
 * Author of The CGI Book:    * http://www.bearnet.com/cgibook/ *
 * Sex is dirty. So save it for someone you love.

Received on Wednesday, 20 December 1995 22:50:12 UTC