Re: /../ in an http URL

Roy T. Fielding (fielding@avron.ics.uci.edu)
Wed, 20 Dec 1995 21:25:55 -0800


To: www-html@w3.org
Subject: Re: /../ in an http URL
In-Reply-To: <19951212.7AF0398.D1C9@contessa.phone.net>
Date: Wed, 20 Dec 1995 21:25:55 -0800
From: "Roy T. Fielding" <fielding@avron.ics.uci.edu>
Message-Id:  <9512202125.aa27771@paris.ics.uci.edu>

Simply put, the HTTP server is the only application capable of
determining whether ot not /../ is allowed in a Request-URI.

The rules in RFC 1808 only cover relative paths -- once the path
has been resolved into URL form, ".." and "." segments have no special
meaning to the parser.  NOTE that only the client does this parsing,
since the server receives the path in absolute form.  Some older
versions of Lynx are simply broken in this regard.

At the same time, any server worth its salt should prevent multiple
URLs from being mapped to the same resource by accident.  Thus, any
server that allows both

     GET /one/./two HTTP/1.0
and
     GET /one/two HTTP/1.0

to retrieve the same resource is being foolish.  The correct response is
either a redirect (301) or an error (403 or 404).

This does not mean that "/one/./two" is an invalid URL path -- that can
only be determined by the server (or server module/CGI script) which
defines the URL space for its resources.


 ...Roy T. Fielding
    Department of Information & Computer Science    (fielding@ics.uci.edu)
    University of California, Irvine, CA 92717-3425    fax:+1(714)824-4056
    http://www.ics.uci.edu/~fielding/