- From: Bob Denny <rdenny@dc3.com>
- Date: Thu, 21 Dec 1995 00:03:42 -0800
- To: BearHeart/Bill Weinman <BearHeart@bearnet.com>, www-html@w3.org, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Dec 20, 21:48, BearHeart/Bill Weinman wrote: > Subject: Re: partial URLs ? > I typed this into Netscape: http://luna:8080/../../../etc/passwd > > I got this in my log . . . > > GET /../../../etc/passwd HTTP/1.0 > Connection: Keep-Alive > User-Agent: Mozilla/2.0b3 (Win95; I) > Host: luna:8080 > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* > > 370 Request: GET /../../../etc/passwd > 370 403 Forbidden (/../../../etc/passwd contains go-back) Try that on my server (WebSite, try http://solo.dc3.com/) Try other ugly combinations like \../\./\.. well you get the idea. It doesn't do the multi-dot stuff for multiple "ups" though... Not a bad idea. Maybe next verision :-). WebSite "normalizes" any of that junk out of a URL. The /../ is assumed to be the same as / (the parent of the root is the root). If it had to change anything to get the "normalized" form, it sends a redirect to the browser in an attempt to "send a message" to the browser operator and prevent further abuse from relative links in the document. Just one person's solution to the problem. -- Bob
Received on Thursday, 21 December 1995 03:05:12 UTC