From nobody@hyperreal.com Sat Mar 29 02:39:49 1997 Received: by taz.hyperreal.com (8.8.4/V2.0) id CAA29506; Sat, 29 Mar 1997 02:39:49 -0800 (PST) Message-Id: <199703291039.CAA29506@taz.hyperreal.com> Date: Sat, 29 Mar 1997 02:39:49 -0800 (PST) From: John Van Essen Reply-To: jve@gamers.org To: apbugs@hyperreal.com Subject: GET request with trailing ".." needs a REDIRECT X-Send-Pr-Version: 3.2 >Number: 284 >Category: general >Synopsis: GET request with trailing ".." needs a REDIRECT >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Class: change-request >Submitter-Id: apache >Arrival-Date: Sat Mar 29 02:40:01 1997 >Last-Modified: Wed Apr 23 04:34:38 PDT 1997 >Originator: jve@gamers.org >Organization: >Release: 1.2b2 >Environment: Linux (but problem is not OS-dependent) >Description: Normally, Apache sends a 302 for a directory path that does not have a trailing slash, but it fails to do so for a path ending in "..". This came to light because a spider/robot program named Teleport Pro incorrectly sends a GET request with a URI that ends in a ".." when it encounters HREF="..". Since Apache doesn't tell it otherwise, dumb ol' Teleport thinks it has a file named ".." and constructs a bunch of bad relative URLs, which result in many 'Not Found' errors in our error.log. Inasmuch as this is not Apache's fault, it would be consistent to do a Redirect for a URI that has a trailing "." or ".." path component (and for trailing "./" and "../", too, for that matter) and supply the appropriate name as constructed by the getparent() routine. >How-To-Repeat: webget -head -nf www.gamers.org/docs gets 302 (correct) webget -head -nf www.gamers.org/docs/ gets 200 (correct) webget -head -nf www.gamers.org/docs/.. gets 200 (should get 302) >Fix: 1) Send a REDIRECT whenever getparent makes any changes to a uri, or 2) Send a REDIRECT whenever there is a ".." anywhere in the uri, or 3) Send a REDIRECT whenever there is a trailing ".." or "../". Pick one. :) The REDIRECT should be for the path with the ".." resolved out of it (i.e. getparent result). (A comment about this PR form: I hope a copy of this PR gets automatically e-mailed to me so I have a record of what I've submitted.) :) %0 >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: coar@decus.org State-Changed-When: Wed Apr 23 04:34:38 PDT 1997 State-Changed-Why: Out-of-band discussions determined that a trailing ".." is supposed to be handled by the client, not the server. Customer has withdrawn request for change, and will continue to apply local modifications to Apache to effect this behaviour. Since the original client vendor has acknowledged their incorrect handling, this appears to have become moot in any event. Thank you for the report, and for using Apache! >Unformatted: