Re: partial URLs ? (was <p> ... </p>)

BearHeart/Bill Weinman (
Wed, 20 Dec 1995 14:43:18 -0600

At 03:24 pm 12/20/95 -0500, wrote:
>| >In stead, any server that sees /../ in the HTTP path is supposed to
>| >issue a 403 Unauthorized response. (Is this in the HTTP specs somewhere?
>| >YIKES! I can't find it in draft-ietf-http-v10-spec-02.txt!!!
>| I have a copy of ...spec-04 and it's not in there either. But,
>| you're right it should be. (and 403 is "Forbidden" which is where
>| this ought to fall.)
>Why should that have to be in the spec?
>A server can legally say that you are forbidden to view any file it so
>chooses based on any criteria it want to, no? (eg. who you are, what
>you requested, time of day, phase of the moon...)
>Therefore it is already reasonable for a server to refuse to serve you
>/../../etc/password. On the other hand, if I *want* to let you look at
>my entire disk, including /etc/password, I should be allowed to write
>a server that does so, no? My point is that the spec should be
>minimalist in telling me what I should let users do.

The spec has to make security precautions where reasonable if
we expect a broad implementation of a standard. It's part of the
IETF process.

If you want to make your whole disk accessable to the world, then
you still can, within the spec, point your document root at "/".

If you only want to make, say, "/etc", available you can do
that with a symbolic link.

>is really necessarily true. Perhaps it makes more sense to return an
>"I don't know what you want (invalid request)" type error code rather
>than "Forbidden" which implies that I know what you want, but you
>aren't allowed to look there.

The idea of "403 Forbidden" is to say "no need to try that again
because it doesn't work and it never will".

* BearHeart / Bill Weinman
* * * *
* Author of The CGI Book: * *
* Trust everyone, but brand your cattle.