On Sep 13, 2007, at 7:54 AM, Plüm, Rüdiger, VF-Group wrote:
Changes to the request URI must be referred back to the client in the
form of a redirect. Any other choice will cause security holes in
the request chain, somewhere.
The proxy (when acting as a proxy) must not change the URI.
The reverse proxy (gateway) is just an origin server with a
stupid name -- it must send a redirect if it makes the above
change to a URI.
Sorry for being confused, but what change to a URI are you
talking about? Transforming
GET /a/../b/somewhere
into
a request for /b/somewhere?
This is the usual transformation we do also in the case we deliver
static content (without sending a redirect to /b/somewhere).
We are supposed to be sending a redirect (or 403) in that case.
Is that not true?
....Roy
