W3C home > Mailing lists > Public > www-talk@w3.org > March to April 1995

URI security

From: Paul Phillips <paulp@cerf.net>
Date: Fri, 28 Apr 1995 15:02:34 -0700 (PDT)
To: www-talk@www10.w3.org
Message-Id: <Pine.SUN.3.91.950428145919.1633A-100000@nic.cerf.net>
Upon whom does the responsibility lie for avoiding ".." in request 
pathnames? Would a server that rejects any URL request with ".." in it be 
non-compliant? It's my (limited) understanding that the client is 
supposed to take care of this, i.e. if I have a page like so:

/foo/bar.html:

<A HREF="../baz.html">Baz</A>

The client should issue that request as /baz.html rarther than 
/foo/../baz.html.  Is this codified anywhere? I don't like the server 
overhead of doing .. translations, I'd rather reject it out of hand, if I 
can. 

--
Paul Phillips                                 EMAIL: paulp@cerf.net  
WWW: http://www.primus.com/staff/paulp/       PHONE: (619) 220-0850
Received on Friday, 28 April 1995 18:04:55 UTC

This archive was generated by hypermail 2.4.0 : Monday, 20 January 2020 16:08:16 UTC