httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike - EMAIL IGNORED <m_d_berger_1...@yahoo.com>
Subject [users@httpd] RE: /my.html#mySection
Date Mon, 19 Jun 2006 16:21:22 GMT
On Mon, 19 Jun 2006 09:05:42 +0200, Boyle Owen wrote:

>> -----Original Message-----
>> From: news [mailto:news@sea.gmane.org] On Behalf Of Mike - 
>> EMAIL IGNORED
>> Sent: Sunday, June 18, 2006 4:09 AM
>> To: users@httpd.apache.org
>> Subject: [users@httpd] /my.html#mySection
>> 
>> I have seen in several browsers that requests such as
>> 
>>    http://www.xxx.net/my.html#mySection
>> 
>> get to the server without the #mySection . The page
>> is delivered and the #mySection is resolved locally
>> by the browser, as would seem to be appropriate.
> 
> I've read your post a few times but can't understand it. Can you try to
> explain again what the problem is?
> 
> Please don't assume we know anything about your set-up (OS, version, for
> example). BTW, do you really put "#" in the URL or is it shorthand for
> something? (# is an unsafe character...)
> 
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored. 
> 
>> 
>> Now my CGI does not know about #mySection.  If it
>> were to get a GET with the #mySection on it, it
>> would throw an exception, and return a 403.
>> 
>> This is exactly what just happened.  The log line
>> appears normal except for this.
>> 
>> What should I make of this?  I could strip off
>> the #mySection in the CGI, and otherwise process
>> normally.  Is there some hidden threat here?
>> 
>> Thanks for your advice.
>> Mike.
>> 
>> 
[...]

# uname -a
Linux mbrc20 2.6.14-1.1656_FC4 #1 Thu Jan 5 22:13:22
   EST 2006 i686 i686 i386 GNU/Linux

Here is a (slightly edited with XXX YYY ZZZ) log line
from httpd-2.0.54-10.3 :

   64.233.173.67 - - [18/Jun/2006:14:03:11 -0400]
      "GET /XXX/XXX/YYY.html#ZZZ
      HTTP/1.1" 403 - "http://www.XXX.net/religion/XXX/XXX/YYY.html"
      "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
      .NET CLR 1.1.4322)"

As you can see, good practice notwithstanding, there is a #YYY
in the GET.  I have confirmed this by examining the incoming
packet captured with tethereal (ethereal-0.10.13-1.FC4.2) .

Now the #ZZZ is legitimate in the sense that my YYY.html does
contain that hypertext. However, in my experience, browsers do
not normally send the #ZZZ, as explained above.  

My question is "how should I respond to it?"  Here are choices:

   1. Send 403 (Forbidden), which is what I do now.
   2. Strip the #ZZZ in my CGI and YYY.html normally.
   3. Something else I didn't think of.

Additionally, I wonder why the #ZZZ appeared in the first place.

Thanks for your interest in this.
Mike.





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message