On Mon, 19 Jun 2006 09:05:42 +0200, Boyle Owen wrote:
>> -----Original Message-----
>> From: news [mailto:[EMAIL PROTECTED] On Behalf Of Mike -
>> EMAIL IGNORED
>> Sent: Sunday, June 18, 2006 4:09 AM
>> To: [email protected]
>> Subject: [EMAIL PROTECTED] /my.html#mySection
>>
>> I have seen in several browsers that requests such as
>>
>> http://www.xxx.net/my.html#mySection
>>
>> get to the server without the #mySection . The page
>> is delivered and the #mySection is resolved locally
>> by the browser, as would seem to be appropriate.
>
> I've read your post a few times but can't understand it. Can you try to
> explain again what the problem is?
>
> Please don't assume we know anything about your set-up (OS, version, for
> example). BTW, do you really put "#" in the URL or is it shorthand for
> something? (# is an unsafe character...)
>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>
>>
>> Now my CGI does not know about #mySection. If it
>> were to get a GET with the #mySection on it, it
>> would throw an exception, and return a 403.
>>
>> This is exactly what just happened. The log line
>> appears normal except for this.
>>
>> What should I make of this? I could strip off
>> the #mySection in the CGI, and otherwise process
>> normally. Is there some hidden threat here?
>>
>> Thanks for your advice.
>> Mike.
>>
>>
[...]
# uname -a
Linux mbrc20 2.6.14-1.1656_FC4 #1 Thu Jan 5 22:13:22
EST 2006 i686 i686 i386 GNU/Linux
Here is a (slightly edited with XXX YYY ZZZ) log line
from httpd-2.0.54-10.3 :
64.233.173.67 - - [18/Jun/2006:14:03:11 -0400]
"GET /XXX/XXX/YYY.html#ZZZ
HTTP/1.1" 403 - "http://www.XXX.net/religion/XXX/XXX/YYY.html";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
.NET CLR 1.1.4322)"
As you can see, good practice notwithstanding, there is a #YYY
in the GET. I have confirmed this by examining the incoming
packet captured with tethereal (ethereal-0.10.13-1.FC4.2) .
Now the #ZZZ is legitimate in the sense that my YYY.html does
contain that hypertext. However, in my experience, browsers do
not normally send the #ZZZ, as explained above.
My question is "how should I respond to it?" Here are choices:
1. Send 403 (Forbidden), which is what I do now.
2. Strip the #ZZZ in my CGI and YYY.html normally.
3. Something else I didn't think of.
Additionally, I wonder why the #ZZZ appeared in the first place.
Thanks for your interest in this.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
