I'm going to use a real-world example here because people seem to not
get why this may be a problem.
Let's say I want to start hosting the git repo for my utility
gemlog.sh[a] on gemini. I make a directory on my site, so the full url
would be `gemini://nytpu.com/gemlog.sh/`. Now, say I put a link in my
root index.gmi (`/`) linking to `gemlog.sh`[b]. This is a perfectly
valid link to a directory on my server, but this would instead be
interpreted as the url `gemini://gemlog.sh/` if you use the faulty
method of parsing. (`.sh` is a valid TLD[c] so it wouldn't work even if
you have a whitelist of tlds).
Now, there's a few options to prevent this from happening:
1) Ban periods in all file & directory names. You'd also have to ban it
in filenames, because what if I make the relative link to a file called
`command.com`? Requires large, breaking spec changes.
2) Instead of documents being served as-is and having clients parse
urls, instead force servers to rewrite all urls, checking if it is a
valid directory or not before serving. All clients only expect well-
formed, full urls, and all existing server implementations are in
violation. Requires large, breaking spec changes.
3) Require that links to directories must not be relative if they could
be confused as a uri host. This is an inconsistent, quick fix that is
very ambiguous, because one client may think it's a valid host while
others may not. It also puts the burden on the authors of documents,
because now they have to remember when relative links are allowed and
when they aren't, and test their documents on a variety of clients to
ensure that it is compatible with all their parsing methods. Requires
large, breaking spec changes.
4) Follow the carefully and clearly defined specification[d] that is
over 15 years old and is well-adopted by existing uri parsing libraries.
Requires minimal, non-breaking spec changes, purely for clarity.
I know which one I'd choose. Obviously option 1 is the only real option
here, the outlandish ones like option 4 just make no sense.
[a]: https://tildegit.org/nytpu/gemlog.sh
[b]: so the full line would read:
`=> gemlog.sh a utility for managing gemlogs from the command line`
[c]: https://en.wikipedia.org/wiki/.sh
[d]: https://tools.ietf.org/html/rfc3986
--
Alex // nytpu
alex at nytpu.com
GPG Key: https://www.nytpu.com/files/pubkey.asc
Key fingerprint: 43A5 890C EE85 EA1F 8C88 9492 ECCD C07B 337B 8F5B
https://useplaintext.email/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20201117/be60
9ab7/attachment-0001.sig>
---
Previous in thread (14 of 31): 🗣️ Petite Abeille (petite.abeille (a) gmail.com)
Next in thread (16 of 31): 🗣️ Philip Linde (linde.philip (a) gmail.com)