Re: partial URLs ?

Bob Denny (rdenny@dc3.com)
Thu, 21 Dec 1995 00:03:42 -0800


On Dec 20, 21:48, BearHeart/Bill Weinman wrote:
> Subject: Re: partial URLs ?
> I typed this into Netscape: http://luna:8080/../../../etc/passwd
>
> I got this in my log . . .
>
> GET /../../../etc/passwd HTTP/1.0
> Connection: Keep-Alive
> User-Agent: Mozilla/2.0b3 (Win95; I)
> Host: luna:8080
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
>
> 370 Request: GET /../../../etc/passwd
> 370 403 Forbidden (/../../../etc/passwd contains go-back)

Try that on my server (WebSite, try http://solo.dc3.com/) Try other ugly
combinations like \../\./\.. well you get the idea. It doesn't do the
multi-dot stuff for multiple "ups" though... Not a bad idea. Maybe next
verision :-).

WebSite "normalizes" any of that junk out of a URL. The /../ is assumed to be
the same as / (the parent of the root is the root). If it had to change
anything to get the "normalized" form, it sends a redirect to the browser in
an attempt to "send a message" to the browser operator and prevent further
abuse from relative links in the document.

Just one person's solution to the problem.

-- Bob