Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

Bjoern Hoehrmann wrote:
>> Not really sure how to fix this short of disabling the whole 
>> Access-Control-Policy-Path feature. Especially if we assume that there 
>> are other canonicalization behaviors out there as well.
> That would be a safe bet, for example, an Apache configuration like:
>   RewriteCond %{QUERY_STRING} for=([^&;]+)
>   RewriteRule ^apis/search /scripts/%1.php [L]
> would map /apis/search?for=images to /scripts/images.php, but would
> also map /apis/search?for=../admin/example to /admin/example.php in-
> ternally, so posting to one would be like posting to the other. There
>*%251 are
> quite a few techniques similar to this in use.

I'm less concerned about this since this is much less likely to happen 
than someone simply using IIS.

It is also arguable that this is simply how the server internally 
produces the resource for the API. I.e. it's not that different from if 
the server had a CGI on /apis/search that executed various server side 
executables based on the 'for' parameter.

/ Jonas

Received on Tuesday, 27 May 2008 22:36:14 UTC