At 09:13 pm 12/20/95 -0600, Chuck Shotton wrote:
>The most important thing to remember is that this type of URL syntax only
>has meaning to WWW clients. HTTP servers always receive the complete path
>so all of this relative URL stuff is client-only. If clients are
>interpreting the ".." above the root of the doc tree, you should be very
>worried because they know something about your server that the server
>didn't tell them.
>If you are worried about encoded ".." characters in a URL, then that is
>strictly a server side problem and the server author should be spanked for
>not checking.
I think your assumption is in error.
I have a little testing-server I wrote so I could see how
different browsers act about stuff. It logs the entire conversation.
(It's really usefull--it'll be in my book.)
I typed this into Netscape: http://luna:8080/../../../etc/passwd
I got this in my log . . .
GET /../../../etc/passwd HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/2.0b3 (Win95; I)
Host: luna:8080
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
370 Request: GET /../../../etc/passwd
370 403 Forbidden (/../../../etc/passwd contains go-back)
So it's not just a client problem . . . the client blindly sends
that request to the server. The server MUST deal with this, and as
you can see, it MUST disallow it.
(OTOH, I could have sent that request just as easily from telnet,
and chances are that someone trying to break into a system would not
be using Netscape anyway.)
Personally, I think 403 is the appropriate message. If someone
is doing a Bad Thing, an ambiguous message adds nothing to the
security--they know what they're trying to do. And if they aren't
malevolent then there's no valid reason to be ambiguous.
Of course, a 603 Scatalogical message would be okay too! ;^)
(I think I'll put one in my mini-server. <bg>)
+----------------------------------------------------------------------+
* BearHeart / Bill Weinman
* BearHeart@bearnet.com * * http://www.bearnet.com/ *
* Author of The CGI Book: * http://www.bearnet.com/cgibook/ *
* Sex is dirty. So save it for someone you love.