Re: %5C in url

On Mon, 16 Feb 2004, Evgeny Kotsuba wrote:

> Hi,
>
> I just find that Mozilla can ask urls like
> http://www.lasercomp.ru/technologies/..%5Cimg/lk.gif and user can
> see nothing....

Well. it is a perfectly valid URL for the file
"technologies/..%5Cimg/lk.gif" on "www.lasercomp.ru". If there is a client
which reads this URL differently then the client is very broken.

> Well this is windoz-way to write things like that, but...

Don't blaim Windows for sloppy web masters who don't verify their content
when publishing information on the web.

> +/* EK add for fucking M$-style (beep) like
> http://www.lasercomp.ru/technologies/..%5Cimg/logo3.gif */
> + t = strstr(urlpath,"%5C");
> + if(t)
> + { int i;
> + l = strlen(t);
> + q = t + 3;
> + *t = '/';
> + t++;
> + for(i=3; i < l; i++)
> + { *t++ = *q++;
> + }
> + *t = 0;
> + }

This does not fix the URL or the webmaster who published this URL. To
correct this URL you need to have the original HTML in where the URL is
embedded correcteed.

In fact modifying URLs in this manner violates the HTTP standard and is
not acceptable.

If you still want to do this then it is easily done via a redirector. No
need to modify Squid. In such case you can even do it correctly by
removing the directory.

Long story:

   http://www.lasercomp.ru/technologies/..%5Cimg/logo3.gif

is the result of a "..\img/logo3.gif" URL in a IMG SRC tag within a
document in the /technologies/" directory. By guessing the webmaster of
this site was using Windows or other system using \ as directory separator
it can be guessed he intended to use "../img/logo3.gif", and the URL
should thus be transformed into "http://www.lasercomp.ru/img/logo3.gif" as
this is what the browser whould have done had the webmaster used the
correct directory separator when writing the URL.

But as I said, if you have a client where this URL works when going direct
but not via the proxy then you have a very broken client. No HTTP clients
are allowed to even remotely think that \ or %5C is a directory separator
in HTTP URLs. Servers MAY, but then there is no difference between going
direct or via the proxy.

local file URLs is a different story, \ is the directory separator on
local files on Winfows and legal to use for that purpose on Windows, even
if / is preferred and works better. How /../ is to be interpreated by the
browser differs significantly however

  /somedir%5Csubdir/../otherdir
or
  /somedir\subdir/../otherdir

is

  /otherdir

not

  /somedir/otherdir

even if the latter is most likely what was intended.

Regards
Henrik
Received on Sun Feb 15 2004 - 17:11:16 MST