- From: BearHeart/Bill Weinman <BearHeart@bearnet.com>
- Date: Wed, 20 Dec 1995 12:33:11 -0600
- To: "Daniel W. Connolly" <connolly@beach.w3.org>
- Cc: www-html@w3.org
>At 10:24 am 12/20/95 -0500, Daniel W. Connolly wrote: >>In message <m0tSMkY-000oANC@ccug.wlv.ac.uk>, Jon Wallis writes: >>>At 13:19 19/12/95 -0600, BearHeart/Bill Weinman wrote: >>>>At 10:40 am 12/19/95 -0800, Walter Ian Kaye wrote: >>>><A HREF="../map.html"><IMG SRC="../gifs/btnmap3.gif" ALT="[Index]" >>> The problem with the parial URLs may be the "../" references. >>> Some servers, and perhaps some browsers too, disallow them because >>>they've been abused to get around security measures. >I think there are two issues that are getting confused here: > (1) whether it's OK to use ../../ in an HREF or SRC attribute > in an HTML document, > (2) whether it's OK to _send_ ../../ in the path field of > and HTTP request. >(1) is cool, (2) is not. Question: if (1) is cool, and (2) ain't, howz the browser supposed to deal with (1) without, at least sometimes, creating (2)? > GET /../../../../etc/passwd HTTP/1.0 > Accept: text/plain Thanks for clearing this up, Dan. You stated it much more lucidly than I did. >In stead, any server that sees /../ in the HTTP path is supposed to >issue a 403 Unauthorized response. (Is this in the HTTP specs somewhere? >YIKES! I can't find it in draft-ietf-http-v10-spec-02.txt!!! I have a copy of ...spec-04 and it's not in there either. But, you're right it should be. (and 403 is "Forbidden" which is where this ought to fall.) +----------------------------------------------------------------------+ * BearHeart / Bill Weinman * BearHeart@bearnet.com * * http://www.bearnet.com/ * * Author of The CGI Book: * http://www.bearnet.com/cgibook/ * * Trust everyone, but brand your cattle.
Received on Wednesday, 20 December 1995 13:35:06 UTC