Remco me at rwv.io
Sat May 15 14:18:52 BST 2021
- - - - - - - - - - - - - - - - - - -
2021/05/15 13:09, Almaember:
A question to everybody reading the list, how badly would it break the
spec to simply block any request whose URLs contain ".." as a
standalone path-element?
Simply blocking ".." won't catch all problems. Of instance, dezheminiactually blocks all request containing ".." in the URL and returns a 59(bad request). This particular case is a problem in the Racket standardlibrary used to parse URLs. This library splits a path in parts (stringand symbols) with 'up (a symbol) for ".." but not when the dots areescaped with %, it would yield "..". Dezhemini only blocked on 'up,auch..
Also, blocking ".." will break my lang=morse site! ;-)
..///.-../---/...-/.///--././--/../-./..
Cheers,Remco