consider web service requested urls these:
samplehost.com/here/comes/a/path the app behind take path (behind .com) , file having path relative defined local directory.
so, let's public directory /home/user/files, above url serve file /home/user/files/here/comes/a/path
when writing this, bumped question happen, when requests urls like:
samplehost.com/../secret neither curl nor browser send url. or rather in both cases webapp received path dot-dot's removed: secret
where mechanism implemented? there else need make sure here in order not such security issue?
the app loads data has make sure data public directory loaded. security can improved additionally using file system permissions.
you shouldn't rely on client - side checks because depend on used client. hacker can write in http-request.
Comments
Post a Comment