Adam Katz wrote:
Adam Katz wrote:
Relative URIs are only safe when prefacing the URI. Requiring the
protocol beforehand should do the trick. Since "http://"; is the
implied protocol and is 8 chars, we get this:
uri URI_HIDDEN /.{8}\/\../
Ned Slider wrote:
Yep - that works great for me and I understand the logic (I assume you
meant the protocol is a max of 8 chars as in "https://";).
I was initially thinking https, but it appears SA's "uri" always
converts relative URIs into "http://"; links, so we want a "7" there.
uri URI_HIDDEN /.{7}\/\../
I should also have noted that while this works around the SA bug, it
also ignores hidden dirs and files appearing early in relative paths,
like <a href="a.bc/.secret"> and of course it will have to be undone
when SA patches that bug.
But again wouldn't that be converted to http://a.bc/{dot}secret and
therefore hit the rule?
Please correct me if I'm wrong, but presumably the shortest possible
valid resolvable domain is 5 chars as in http://ab.cd/ so if we are
merely interested hidden subdirectories there must be a minimum of 12
characters before the slash-dot?
Anyway, I think I'm happy sticking with /.{8}\/\../
