W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 1995

Re: partial URLs ?

From: Bob Denny <rdenny@dc3.com>
Date: Thu, 21 Dec 1995 00:03:42 -0800
Message-Id: <9512210003.ZM548@solo.dc3.com>
To: BearHeart/Bill Weinman <BearHeart@bearnet.com>, www-html@w3.org, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com


On Dec 20, 21:48, BearHeart/Bill Weinman wrote:
> Subject: Re: partial URLs ?
>    I typed this into Netscape:  http://luna:8080/../../../etc/passwd
> 
>    I got this in my log . . . 
> 
> GET /../../../etc/passwd HTTP/1.0
> Connection: Keep-Alive
> User-Agent: Mozilla/2.0b3 (Win95; I)
> Host: luna:8080
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
> 
> 370 Request: GET /../../../etc/passwd
> 370 403 Forbidden (/../../../etc/passwd contains go-back)

Try that on my server (WebSite, try http://solo.dc3.com/) Try other ugly 
combinations like \../\./\.. well you get the idea. It doesn't do the 
multi-dot stuff for multiple "ups" though... Not a bad idea. Maybe next 
verision :-).

WebSite "normalizes" any of that junk out of a URL. The /../ is assumed to be 
the same as / (the parent of the root is the root). If it had to change 
anything to get the "normalized" form, it sends a redirect to the browser in 
an attempt to "send a message" to the browser operator and prevent further 
abuse from relative links in the document.

Just one person's solution to the problem.

  -- Bob
Received on Thursday, 21 December 1995 00:09:25 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:42:57 UTC