Results 1 to 9 of 9

Thread: [RESOLVED] src path question

  1. #1

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Resolved [RESOLVED] src path question

    When loading the following script as a file, the "../test.js" executes correctly from the preceding directory of where the script was loaded from.
    Code:
    <!DOCTYPE html>
    <html>
    <head>
        <meta charset="utf-8">
        <p><script></script>
           <noscript>JavaScript is disabled, please turn on!</noscript>
           <!-- --> 
        </p>
        <script src="../test.js"></script> 
        <script>adjust()</script>
        <script>window.location.replace("http://localhost:5197")</script>
    </head>
    </html>
    But when passed to the browser as a request response, the browser drops the ".." and requests "/test.js".

    Is this normal?

    J.A. Coutts

  2. #2
    Super Moderator dday9's Avatar
    Join Date
    Mar 2011
    Location
    South Louisiana
    Posts
    11,711

    Re: src path question

    Are you sure that the src is dropping the ../? You can confirm by opening the dev tools (either CTRL + SHIFT + i or F12), opening the Inspector tab, and finding the tag in question.

    I suspect that if the relative path is wrong then it would output an error with just the filename. However, using relative paths for a script's src is completely valid.
    "Code is like humor. When you have to explain it, it is bad." - Cory House
    VbLessons | Code Tags | Sword of Fury - Jameram

  3. #3
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: src path question

    If the html page is loaded from site's root directory than relative ../test.js cannot traverse back i.e. http://mysite/../test.js is not a proper location and will probably default to test.js in root directory.

    I mean if you serve your root page from c:\path\to\parent\myroot = http://mysite/ you cannot address files in c:\path\to\parent with http://mysite/../ because that would allow downloading either /etc/passwd (or whereever these are shadowed) and/or the registry file where local accounts hashes are stored on windows machines.

    cheers,
    </wqw>

  4. #4

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: src path question

    Quote Originally Posted by dday9 View Post
    Are you sure that the src is dropping the ../? You can confirm by opening the dev tools (either CTRL + SHIFT + i or F12), opening the Inspector tab, and finding the tag in question.

    I suspect that if the relative path is wrong then it would output an error with just the filename. However, using relative paths for a script's src is completely valid.
    Using the Web Console is how I traced the problem. When I moved the file to the shared directory, it operated correctly.

    J.A. Coutts

  5. #5

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: src path question

    Quote Originally Posted by wqweto View Post
    If the html page is loaded from site's root directory than relative ../test.js cannot traverse back i.e. http://mysite/../test.js is not a proper location and will probably default to test.js in root directory.

    I mean if you serve your root page from c:\path\to\parent\myroot = http://mysite/ you cannot address files in c:\path\to\parent with http://mysite/../ because that would allow downloading either /etc/passwd (or whereever these are shadowed) and/or the registry file where local accounts hashes are stored on windows machines.

    cheers,
    </wqw>
    Thanks wqweto. What you are saying makes sense. I was indeed trying to load the file from a directory below the share path. I was trying to prevent the client from directly accessing the file, but it looks like I will have to find another way. It is strange that this was never mentioned in all the searching I did in an attempt to resolve this issue.

    J.A. Coutts

  6. #6
    PowerPoster
    Join Date
    Aug 2010
    Location
    Canada
    Posts
    2,412

    Re: src path question

    You don't want to allow clients to access files outside your root directory directly, that would be a security nightmare. Clients would be able to traverse up the path and them traverse down other paths to grab sensitive files. If you have a static file that the client needs (e.g. a static .js file), this file should be somewhere in or below your root folder. I'm not sure why you wouldn't want to allow direct access to a .js file, but if that's what you need then you should develop a web API and dynamically serve the files outside your root folder from a web app/cgi script/asp page/etc...

  7. #7
    Super Moderator dday9's Avatar
    Join Date
    Mar 2011
    Location
    South Louisiana
    Posts
    11,711

    Re: src path question

    I'm not sure moving a javascript file outside of the root folder makes sense either. When the browser loads the script, then it will immediately become available to the browser via the Sources tab.
    "Code is like humor. When you have to explain it, it is bad." - Cory House
    VbLessons | Code Tags | Sword of Fury - Jameram

  8. #8
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    Connecticut
    Posts
    18,263

    Re: src path question

    I regularly create subfolders with a GUID for a session user so I can copy files into that folder for them to see and only them to see.

    Thought I would mention it in case you could somehow use similar logic.

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  9. #9

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: src path question

    Quote Originally Posted by jpbro View Post
    You don't want to allow clients to access files outside your root directory directly, that would be a security nightmare. Clients would be able to traverse up the path and them traverse down other paths to grab sensitive files. If you have a static file that the client needs (e.g. a static .js file), this file should be somewhere in or below your root folder. I'm not sure why you wouldn't want to allow direct access to a .js file, but if that's what you need then you should develop a web API and dynamically serve the files outside your root folder from a web app/cgi script/asp page/etc...
    You are 100% correct; the user should not be able to access files outside of the shared directory. My server does do that, but I was not aware of how the browser handled the external script. This experiment answered that question. The script in question (test.js) does not produce any output to the screen, and is immediately followed by the actual page requested by the user. The script is used to adjust the cookie content, and I do not want the client accessing the script independently, as it would negate the original intent.

    J.A. Coutts

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width