Re: URI security

Larry Masinter (masinter@parc.xerox.com)
Sat, 29 Apr 1995 11:46:05 +0500


> Upon whom does the responsibility lie for avoiding ".." in request
> pathnames? Would a server that rejects any URL request with ".." in it be
> non-compliant?

. is interpreted by the CLIENT in relative URLs and by the SERVER in
absolute URLs. That is, if you say

<A HREF="../baz.html">Baz</A>

in a document whose base is "http://myserver/foo/bar.html", this is a
interpreted as "http://myserver/baz.html". However, if you say

<A HREF="http://myserver/../baz.html">Baz</A>

this is an absolute URL and the ".." gets sent to the server, which
can interpret it however it wants.

The relative URL document
<URL:ftp://ds.internic.net/internet-drafts/draft-ietf-uri-relative-url-06.txt>
is up for 'last call' before becoming a proposed standard RFC. Check
it out.