[mod_python] dot dot in the url

Roger Binns rogerb at rogerbinns.com
Mon May 14 13:33:18 EDT 2007

Hash: SHA1

Jim Gallacher wrote:
> REST is built *on* the RFC standards and in no way violates them. RFC
> 3986 is dated January 2005, whereas the thesis first detailing REST was
> written in 2000. 

3986 builds on several previous RFCS which do predate REST.  URIs
existed long before REST as did standards specifying URIs.

> Your URL usage does bend the rules, so don't be surprised if it ends up
> being difficult or impossible to make it work the way you want.

REST has identifiers as part of the URL.  In most examples a number is
used because the underlying data is stored as a database and the number
corresponds to a primary key.  However there are many examples of
strings being used as well.  A consequence of the URI rules as done by
Apache is that those strings cannot contain /./ or /../ or start with ./
or ../

I'm just going to have to live with that since even though my code can
cope with them, Apache uses the processed URL for access control,
invoking handlers etc.

I'm left with two alternatives:

 - Outright ban those sequences in unique identifiers
 - Have some sort of escape sequence that allows them

I really hate edge cases like this.  They make software more arbitrary
and annoying.

Version: GnuPG v1.4.6 (GNU/Linux)


More information about the Mod_python mailing list