- From: Claudia Meadows <notifications@github.com>
- Date: Sat, 11 Nov 2023 14:42:28 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 11 November 2023 22:42:35 UTC
> > If |path| is present:
> > If |path| is a DOMString, set |path| to be a list containing |path|.
> > For each |segment| of |path|, append "/" followed by |segment| to |output|.
> The path will need to be simplified.
It *could* be simplified, but it doesn't *need* simplified. Servers normally handle this through one of four ways:
1. Tolerate it. If it's never used as a file name, it's not a security problem. And it might even be a valid resource ID.
2. Reject it. This is as easy as checking the path against the regexp `/(^|\/)\.\.?($|\/)/`. Or if you really wanted to optimize it, just loop with a counter, increment on every `.`, fail if the counter's 2 on either `/` or end of path, and reset the counter after the check for `/`.
3. Resolve it (say, `pathname = path.posix.normalize(url.pathname)` in Node) and reject accesses resolved to the parent (`pathname === ".." || pathname.startsWith("../")`).
4. Resolve it against `/` and just swallow parent accesses (say, `pathname = path.resolve("/", url.pathname)` in Node).
--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/782#issuecomment-1806935485
You are receiving this because you are subscribed to this thread.
Message ID: <whatwg/url/issues/782/1806935485@github.com>
Received on Saturday, 11 November 2023 22:42:35 UTC