Re: partial URLs ? (was

Mike Meyer (mwm@contessa.phone.net)
Thu, 21 Dec 1995 11:16:07 PST


Subject:  Re: partial URLs ? (was
In-Reply-To: <v02130517acfe7b6074b3@[198.64.246.22]>
From: mwm@contessa.phone.net (Mike Meyer)
Date: Thu, 21 Dec 1995 11:16:07 PST
Message-Id: <19951221.79AF578.9FEE@contessa.phone.net>
To: www-html@w3.org

> >It would, of course, be quite reasonable for the HTTP spec to have
> >a UNIX-centric warning to implementors that they should make this
> >string illegal for their implementation (or risk the consequences).
> 
> And by the same token, a warning that URL paths are not file system paths,
> regardless of the one to one mapping in many servers.

Actually, the warning doesn't have to be unix centric. It can also
imply the warning about file systems at the same time. Suggested
wording:

	While URLs paths are not file system paths, they may be
	implemented as such. If this is the case, any path components
	that have a meaning other than "descend into the named
	directory" in the file system should be examined for possibly
	security problems and disallowed if there are any. For example, 
	".." as a path component on Unix and MS-DOS means to go up one
	directory level, which can potentially access files outside
	the server tree, and should thus be disallowed.

See - it has a non-Unix-centric warning, a warning that URLs are not
file paths, and mentions ".." explicitly.

	<mike