W3C home > Mailing lists > Public > www-talk@w3.org > March to April 1995

Re: URI security

From: Larry Masinter <masinter@parc.xerox.com>
Date: Sat, 29 Apr 1995 08:43:12 PDT
To: paulp@cerf.net
Cc: www-talk@w3.org
Message-Id: <95Apr29.084314pdt.2761@golden.parc.xerox.com>
> Upon whom does the responsibility lie for avoiding ".." in request 
> pathnames? Would a server that rejects any URL request with ".." in it be 
> non-compliant?

.. is interpreted by the CLIENT in relative URLs and by the SERVER in
absolute URLs. That is, if you say

	<A HREF="../baz.html">Baz</A> 

in a document whose base is "http://myserver/foo/bar.html", this is a
interpreted as "http://myserver/baz.html". However, if you say

	<A HREF="http://myserver/../baz.html">Baz</A>

this is an absolute URL and the ".." gets sent to the server, which
can interpret it however it wants.

The relative URL document
is up for 'last call' before becoming a proposed standard RFC. Check
it out.
Received on Saturday, 29 April 1995 11:43:33 UTC

This archive was generated by hypermail 2.4.0 : Monday, 20 January 2020 16:08:16 UTC