- From: Mike Meyer <mwm@contessa.phone.net>
- Date: Thu, 21 Dec 1995 09:23:56 PST
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> Yes, "/../" is a unixism, but the path part of a URL is inherently > platform specific. I see URLs with "\" in them for DOS-type hosts, and > "\..\" is just as much of a problem--maybe more because of the lack > of permissions-bits in most DOSish OSs. The code I've seen that 403s > these things checks for the ".." and that seems to be a pretty > universal string for "go up a level in the file system", or do you > know of an OS with more than 3 servers on the net that doesn't work > that way? Do you know of any other OS that *does* work that way? If not, then pretty much every platform on the net except Unix and Dos based ones qualify. I've seen numerous claims that the most common server on the is running on neither Unix nor DOS. Of course, server authors for those platforms will probably just ignore this restriction, as they have no reason to deal with it. > (side note: MS has implemented "..." and "...." in Win95 for > referencing up two- and three- levels respectively. I don't know about > NT, but if it's not in there now it soon will be. A check for ".." > would obviously catch this as well.) So you're arguing that the string ".." anywhere in the path - not just as a path componenet - ought to be illegal? Is there any point in this other than letting incompetent programmers blame the client if their system is broken into? Seriously, what is the point of this? Competent programmers on boxes that add special meaning to any path component will deal with it in the server whether it's illegal or not. Making it illegal isn't any more likely to make incompetent programmers check for it than a warning. Programmers for other boxes will ignore it. Should clients refuse to send it if it shows up in a document? Should your email address show up in the error message so users can go direct to you for an explanation? <mike
Received on Thursday, 21 December 1995 09:36:14 UTC