Brian wrote:
>On Mon, 10 Apr 1995, David Robinson wrote:
>> Besides which, I have a hidden agenda on this. Consider a URL of the form
>> http://somehost.domain/../path/file
>> Currently, translate_name() on this calls getparents() which simply deletes
>>n> the leading ../ . Instead, it should really return a 400 or 404 error.
>> So I want getparents() to return a code indicating that the URL was potentially
>> bad, and hence I need translate_name to return a BAD_URL too.
>
>Really? Is something like http://host/path/../path2/file.html disallowed
>by the URL spec? I don't think it is - after all how do you know that
>"path" isn't really a script that takes its arguments via PATH_INFO, with
>".." being a valid part of its path.... This is an issue with some broken
>browsers out there that misinterpret relative URL's that point up a
>directory.
>
>Roy Fielding is The Man when it comes to relative URL's - I'll wait for
>his response to whether something like
>http://host/path/../path2/file.html should return a 400, 404, or 200 if
>http://host/path2/file.html really exists.
Sorry Brian, you didn't read what I wrote. I wasn't talking about relative
URLs (although I did not make that clear.)
Firstly, in response to your (mistaken) questions:
1.
http://host/path/../path2/file.html is an absolute URL, not a relative
URL, as it starts with a scheme.
2. In the context of an absolute URL, the semantics of a .. path component
are not defined. It is up to the server how it interprets this.
Thus
http://host/path/../path2/file.html could even be a different document
to
http://host/path2/file.html 3. For a relative URL, the semantics of .. are defined.
So path/../path2/file.html in the context of
http://host/ is _defined_ to correspond to the absolute URL
http://host/path2/file.html To clarify:
I believe that the path sent in the http request is the path component of
an absolute URL, not a relative URL. So we are not considering relative
URLs here.
The current situation:
So the URL spec does not mandate any specific action in response to
GET /path/../path2/file.html. We can do whatever we want. However, I think
we would be insane not to map this onto /path2/file.html
My question (actually just an comment):
What should we do with
http://host/../path/file.html, i.e. a
GET /../file.html ? Currently httpd will map this to /file.html. I was
suggesting that this is wrong, and that this should return 400 or 404.
David.
References:
draft-ietf-uri-relative-url-06.txt: `Relative Uniform Resource Locators'.