Re: [whatwg/url] Single and double dot segments in paths cannot be represented – Premature decoding of %2e character sequences. (#281) from Alwin Blok on 2017-03-27 (public-webapps-github@w3.org from March 2017)

From: Alwin Blok <notifications@github.com>
Date: Mon, 27 Mar 2017 02:52:36 -0700
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/281/289406903@github.com>

Thanks. 

For the record, I do think the solution is somewhat unsatisfactory. I appreciate the safety issue, but I'm not sure about the tradeoff, nor the effectiveness. Servers that fall for such an attack may fall for `http://example.com/..%2fsensitive_info.txt` as well, for example. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/281#issuecomment-289406903

Received on Monday, 27 March 2017 09:53:11 UTC