- From: Mike Meyer <mwm@contessa.phone.net>
- Date: Thu, 21 Dec 1995 11:16:07 PST
- To: www-html@w3.org
> >It would, of course, be quite reasonable for the HTTP spec to have > >a UNIX-centric warning to implementors that they should make this > >string illegal for their implementation (or risk the consequences). > > And by the same token, a warning that URL paths are not file system paths, > regardless of the one to one mapping in many servers. Actually, the warning doesn't have to be unix centric. It can also imply the warning about file systems at the same time. Suggested wording: While URLs paths are not file system paths, they may be implemented as such. If this is the case, any path components that have a meaning other than "descend into the named directory" in the file system should be examined for possibly security problems and disallowed if there are any. For example, ".." as a path component on Unix and MS-DOS means to go up one directory level, which can potentially access files outside the server tree, and should thus be disallowed. See - it has a non-Unix-centric warning, a warning that URLs are not file paths, and mentions ".." explicitly. <mike
Received on Thursday, 21 December 1995 14:33:31 UTC