URI security

Paul Phillips (paulp@cerf.net)
Fri, 28 Apr 1995 20:27:18 +0500

Upon whom does the responsibility lie for avoiding ".." in request
pathnames? Would a server that rejects any URL request with ".." in it be
non-compliant? It's my (limited) understanding that the client is
supposed to take care of this, i.e. if I have a page like so:


<A HREF="../baz.html">Baz</A>

The client should issue that request as /baz.html rarther than
/foo/../baz.html. Is this codified anywhere? I don't like the server
overhead of doing .. translations, I'd rather reject it out of hand, if I

Paul Phillips                                 EMAIL: paulp@cerf.net  
WWW: http://www.primus.com/staff/paulp/       PHONE: (619) 220-0850