Then why not restrict relatives paths only? Current implementation forbid paths like:
/path/to/file-1.0.0.png This isn't relative path but it has periods in filename. On Tue, Jan 19, 2010 at 20:45, Robert Zeigler <[email protected]> wrote: > To avoid attempts at circumventing restrictions via relative path > specifications: > /path/to/available/resource/../../../../path/to/secure/resource > > Some (most? all?) browsers will kindly get rid of the relative path > reference from the request, but it's certainly possible via, eg, curl, wget, > etc. to craft such a request. Since we're not actually resolving the asset > and determining the absolute location, only looking at the requested path > via regex, it's prudent to deter such attempts. > > Robert > > > On Jan 19, 2010, at 1/194:26 AM , Ulrich Stärk wrote: > > What was the rationale behind not allowing dots in the path part of the >> URL and additional dots in the filename? >> >> Are there any objections against allowing them? >> >> Uli >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Dmitry Gusev AnjLab Team http://anjlab.com
