W3C home > Mailing lists > Public > www-tag@w3.org > October 2005

Section 5.4.2 of RFC 3986 not actually 'legal' syntax

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 11 Oct 2005 22:56:46 -0700
Message-ID: <5691356f0510112256q5777cfbel5ac069a7a741a13d@mail.gmail.com>
To: www-tag@w3.org

I image members of the TAG are no doubt aware of the following news event:

"""
On December 31, 2004, Cuthbert, using an Apple laptop and Safari
browser, became concerned that a website collecting credit card
details for donations to the Tsunami appeal could be a phishing site.
After making a donation, and not seeing a final confirmation or
thank-you page, Cuthbert put ../../../ into the address line. If the
site had been unprotected this would have allowed him to move up three
directories.
"""

>From <http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/>

Will section 5.4.2 of RFC 3986 be amended to indicate that the
"../../../" syntax is no longer valid syntax, despite being explicitly
declared valid by the current RFC text? I was also wondering if any
other elements of Internet and WWW design will be delegated to the
British courts.

It's funny, and very much not so, all at the same time.

Tyler

--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/

Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/extensions/moreinfo.php?id=957
Received on Wednesday, 12 October 2005 06:13:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:37 GMT