Re: URI security from Larry Masinter on 1995-04-29 (www-talk@w3.org from March to April 1995)

From: Larry Masinter <masinter@parc.xerox.com>
Date: Sat, 29 Apr 1995 08:43:12 PDT
To: paulp@cerf.net
Cc: www-talk@w3.org
Message-Id: <95Apr29.084314pdt.2761@golden.parc.xerox.com>

> Upon whom does the responsibility lie for avoiding ".." in request 
> pathnames? Would a server that rejects any URL request with ".." in it be 
> non-compliant?

.. is interpreted by the CLIENT in relative URLs and by the SERVER in
absolute URLs. That is, if you say

	<A HREF="../baz.html">Baz</A> 

in a document whose base is "http://myserver/foo/bar.html", this is a
interpreted as "http://myserver/baz.html". However, if you say

	<A HREF="http://myserver/../baz.html">Baz</A>

this is an absolute URL and the ".." gets sent to the server, which
can interpret it however it wants.

The relative URL document
<URL:ftp://ds.internic.net/internet-drafts/draft-ietf-uri-relative-url-06.txt>
is up for 'last call' before becoming a proposed standard RFC. Check
it out.

Received on Saturday, 29 April 1995 11:43:33 UTC