i18n@... wrote:

>I think that sort of url is fine as long as the ".." series doesn't
>point back up above and out of the document root. If it does, and the
>server allows it, then it is an enormous security hole, as it would
>allow arbitrary execution of code anywhere on the server (although
>privileges would still come into play)
>
>

The ".." notation (and "." as well, for that matter) in a URL *is*
standard, and is defined in the way one might expect. Bear in mind that
URLs don't *necessarily* mirror server-side directory structures: they
are just name structures. Of course, in actuality they generally do
mirror directories. Thus, using ".." to jump out of the document root
doesn't make sense from the URL standards point of view, and a server
that lets such a thing happen is a monumental mistake and its programmer
should be yelled at most harshly. Browsers also should do the Right
Thing with such URLs, and trim the directory paths appropriately on the
local side when possible.

Ref. http://www.gbiv.com/protocols/uri/rfc/rfc3986.html section 3.3.

~mark