To avoid attempts at circumventing restrictions via relative path
specifications:
/path/to/available/resource/../../../../path/to/secure/resource
Some (most? all?) browsers will kindly get rid of the relative path
reference from the request, but it's certainly possible via, eg, curl,
wget, etc. to craft such a request. Since we're not actually
resolving the asset and determining the absolute location, only
looking at the requested path via regex, it's prudent to deter such
attempts.
Robert
On Jan 19, 2010, at 1/194:26 AM , Ulrich Stärk wrote:
What was the rationale behind not allowing dots in the path part of
the URL and additional dots in the filename?
Are there any objections against allowing them?
Uli
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
