W3C home > Mailing lists > Public > uri@w3.org > June 2014

Re: Percent encoded dots in . and .. path elements

From: ☻Mike Samuel <msamuel@google.com>
Date: Fri, 27 Jun 2014 13:56:57 -0400
Message-ID: <CAHBJ-bnBPwtxkAK+2-nw2NWe0LB+hsYo-KQhQ=G04PQAnGEiFw@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: uri@w3.org
On Fri, Jun 27, 2014 at 12:55 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> will differ regarding to when it is done (if at all).  Likewise, ".." is
> only special during the relative->absolute conversion, so normalizing the
> %2E after relative parsing is going to result in a ".." segment.

I think this is the part I was missing: that resolution is a separate
operation from absolution (?).

In that case, among the libraries, only Java's normalize() is borken.
It advertises
"""
If a ".." segment is preceded by a non-".." segment then both of these
segments are removed. This step is repeated until it is no longer
applicable.
"""

Browsers sending non-absolute URIs for HTTP/HTTPS seems problematic.
RFC 7230 says:
"""
request-target = origin-form / absolute-form / authority-form /
    asterisk-form
"""
and those non-terminals are defined thus:
"""
absolute-form = absolute-URI
...
asterisk-form = "*"
...
authority-form = authority
...
origin-form = absolute-path [ "?" query ]
"""

Conflating absolute and non-absolute paths could have some security
consequences, since the semantics of cookies depend on them, but
cookie path restrictions are not widely used.  I don't recall whether
similarly named cookies on different paths mask one another, but fewer
cookies rarely mean greater privileges.
Received on Friday, 27 June 2014 17:57:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:16 UTC