httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Re: New version of B60-leading-slash-2.txt for 0.5.1
Date Mon, 10 Apr 1995 18:52:38 GMT
On Mon, 10 Apr 1995, David Robinson wrote:
> Besides which, I have a hidden agenda on this. Consider a URL of the form
> http://somehost.domain/../path/file
> Currently, translate_name() on this calls getparents() which simply deletes
> the leading ../ . Instead, it should really return a 400 or 404 error.
> So I want getparents() to return a code indicating that the URL was potentially
> bad, and hence I need translate_name to return a BAD_URL too.

Really?  Is something like http://host/path/../path2/file.html disallowed 
by the URL spec?  I don't think it is - after all how do you know that 
"path" isn't really a script that takes its arguments via PATH_INFO, with 
".." being a valid part of its path.... This is an issue with some broken 
browsers out there that misinterpret relative URL's that point up a 

Roy Fielding is The Man when it comes to relative URL's - I'll wait for 
his response to whether something like 
http://host/path/../path2/file.html should return a 400, 404, or 200 if 
http://host/path2/file.html really exists.



View raw message