Re: URI security

Larry Masinter (
Sat, 29 Apr 1995 11:46:05 +0500

> Upon whom does the responsibility lie for avoiding ".." in request
> pathnames? Would a server that rejects any URL request with ".." in it be
> non-compliant?

. is interpreted by the CLIENT in relative URLs and by the SERVER in
absolute URLs. That is, if you say

<A HREF="../baz.html">Baz</A>

in a document whose base is "http://myserver/foo/bar.html", this is a
interpreted as "http://myserver/baz.html". However, if you say

<A HREF="http://myserver/../baz.html">Baz</A>

this is an absolute URL and the ".." gets sent to the server, which
can interpret it however it wants.

The relative URL document
is up for 'last call' before becoming a proposed standard RFC. Check
it out.