Re: partial URLs ? (was from Mike Meyer on 1995-12-12 (www-html@w3.org from December 1995)

From: Mike Meyer <mwm@contessa.phone.net>
Date: Tue, 12 Dec 1995 13:59:37 PST
To: www-html@w3.org
Message-Id: <19951212.7B4D9E8.CC13@contessa.phone.net>

> I like Dan Connolly's response that a well-behaved Client should NOT
> request any URL with ../ in it because it may get a 403 response.

I don't like that argument (and I didn't see it from Dan) - it's very
Unix-centric, and doesn't generalize. After all, if you can't use some
string in a URL because it MAY get a 403 response, then I can add a
single line to my server config that would imply you shouldn't use any
text string in a URL.

What behavior did Dan (or you) recommend if I type in a URL with a
"../" in it by hand? Not doing what the user asked you to to avoid
vague security problems on someone else's machine is pretty clearly
broken. Escaping the URL is acceptable, and might even produce the
correct results.

	<mike

Received on Wednesday, 20 December 1995 17:08:49 UTC