Anne van Kesteren wrote:
On Fri, 08 Feb 2008 23:30:46 +0100, Jonas Sicking <[EMAIL PROTECTED]> wrote:
Second, I don't think we should automatically be "fixing up" the
directory uri by prepending and/or appending slashes if they aren't
there. In all other cases we opt to fail if the required syntax is
wrong, which seems like the safer thing when it comes to security. I
think we should apply the same rule here.
The current specification does not prepend a slash. It requires the URI
to match the abs_path production from RFC 2616. It does append a slash
for comparison purposes. I explained this in the other e-mail.
I'd say we should require a initial and a ending '/'. If the path
doesn't follow that syntax always deny the request.
This follows the general principal of don't do automatic fixups, and
always deny if something looks wrong.
/ Jonas
