URI security

Paul Phillips (paulp@cerf.net)
Fri, 28 Apr 1995 20:27:18 +0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: H&kon W Lie: "Re: Dynamic HTML documents with client pull"
Previous message: Dan Connolly: "Dynamic HTML documents with client pull"
Next in thread: Larry Masinter: "Re: URI security"

Upon whom does the responsibility lie for avoiding ".." in request
pathnames? Would a server that rejects any URL request with ".." in it be
non-compliant? It's my (limited) understanding that the client is
supposed to take care of this, i.e. if I have a page like so:

/foo/bar.html:

The client should issue that request as /baz.html rarther than
/foo/../baz.html. Is this codified anywhere? I don't like the server
overhead of doing .. translations, I'd rather reject it out of hand, if I
can.

--
Paul Phillips                                 EMAIL: paulp@cerf.net  
WWW: http://www.primus.com/staff/paulp/       PHONE: (619) 220-0850

Next message: H&kon W Lie: "Re: Dynamic HTML documents with client pull"
Previous message: Dan Connolly: "Dynamic HTML documents with client pull"
Next in thread: Larry Masinter: "Re: URI security"