On Sep 13, 2007, at 8:20 AM, Plüm, Rüdiger, VF-Group wrote:
Sorry for being confused, but what change to a URI are you
talking about? Transforming
GET /a/../b/somewhere
into
a request for /b/somewhere?
This is the usual transformation we do also in the case we deliver
static content (without sending a redirect to /b/somewhere).
We are supposed to be sending a redirect (or 403) in that case.
Is that not true?
No. Just create a webserver with a document root and the
directories a and b
below the document root containing an index.html
Request
GET /a/../b/index.html HTTP/1.0
You will get the contents of <document root>/b/index.html directly
(a.k.a Status code 200)
without any redirect. It works like this as long as I can think of.
Some bugs last longer than others, no matter how many times they are
pointed out on this list. I am too busy to fix it this week and off
to Berlin next week, but feel free to fix it yourself.
Any transformation of the URI must result in a 403 or redirect.
The only parts of the server that should ever be allowed to
internal redirect are the storage handling routines *after* the
location has been set, and even those should redirect if the new
location has a different (better) URI. Proxies are absolutely
forbidden from making any change to the URI -- they must forward
as is or return an error. A reverse proxy is not a proxy.
....Roy
