- From: William C. Cheng <william@cs.columbia.edu>
- Date: Wed, 20 Dec 1995 23:02:58 -0500
- To: www-html@w3.org
John Franks <john@math.nwu.edu> wrote:
> As I recall the draft RFC for URL's specifies that certain characters
> (like space) are forbidden, certain (like '?') have special meaning
> and otherwise the "path" part of a URL is an opaque string (which, in
> particular, may have nothing to do with a path). Neither '/' nor '.'
> are forbidden or have special meaning. They do have special meaning
> *for some implementations* and no special meaning for others.
> Likewise the colon may have special meaning for some implementations
> and not for others.
>
> The fact that certain strings may represent securtity risks for
> some implementations does not automatically make them illegal.
> I don't believe that "/../" is forbidden in HTTP URL's. If
> I am wrong I would be interested in a reference.
>
> It would, of course, be quite reasonable for the HTTP spec to have
> a UNIX-centric warning to implementors that they should make this
> string illegal for their implementation (or risk the consequences).
It seems to be true that "/../" is not forbidden explicitely. Now,
can anyone give me an example where http://foo/b/../bar.html and
http://foo/bar.html should _not_ be interpreted the same way? Forget
about the UNIX-centric business (we all know where DOS gets its "\"
and Mac gets its ":") because all these systems basically have
hierarchical file systems. So the real question is whether a "/"
separator in an URL implies a level change in a hierarchy.
--
Bill Cheng // Guest at Columbia Unversity Computer Science Department
william@CS.COLUMBIA.EDU ...!{uunet|ucbvax}!cs.columbia.edu!william
WWW Home Page: <URL:http://www.cs.columbia.edu/~william>
Received on Wednesday, 20 December 1995 23:03:03 UTC