- From: <jg@w3.org>
- Date: Tue, 26 Mar 96 17:58:30 -0500
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
The following was added to the 1.0 document after the last 1.1 draft and needs to be added into the 1.1 document in section 14 (Security Considerations). Unless I hear complaint, the same will be added to the 1.1 draft. - Jim Add subsection to section 14: (Security Considerations) Attacks Based On File and Path Names Implementations of HTTP origin servers should be careful to restrict the documents returned by HTTP requests to be only those that were intended by the server administrators. If an HTTP server translates HTTP URIs directly into file system calls, the server must take special care not to serve files that were not intended to be delivered to HTTP clients. For example, Unix, Microsoft Windows, and other operating systems use ".." as a path component to indicate a directory level above the current one. On such a system, an HTTP server must disallow any such construct in the Request-URI if it would otherwise allow access to a resource outside those intended to be accessible via the HTTP server. Similarly, files intended for reference only internally to the server (such as access control files, configuration files, and script code) must be protected from inappropriate retrieval, since they might contain sensitive information. Experience has shown that minor bugs in such HTTP server implementations have turned into security risks.
Received on Tuesday, 26 March 1996 15:02:52 UTC