../ security issue *Resolved*

[DeadEyes]

I got a web server that won't allow relative links like "../default/images/myimage.gif"
because the "../" is a security risk.
Does anyone have any ideas how to develop a site without
using double dots, and yet still be able to move it from one server to another?

[mendhak]

That's weird. Most servers I've come across do allow it.

Anyways, what about using:

/images/whatever.gif

Basically, the first forward slash specifies the root directory, and you can give the path from there onwards.

[DeadEyes]

So if I have a structure say

Code:

root
   |
   +---images
   +---page
           |
           +--item

and I'm in item
using "/images" will take me to images
as oppossed to ../../images

[Rick Bull]

Yep that's right. When you say your server doesn't allow it, do you mean when using a server side language like PHP, or just plain HTML? Could we see an example page? Seems kinda weird to me too.

[DeadEyes]

It's a specific setting that the sys admin has put in.
Something along the lines that if you view the source for
a page and you see ../ you can then guess the directory structure
and move to another directory and the permissions get messed up along the way.
I'm not sure if this is a win2k server issue or iis thing.
It effects everything

[DeadEyes]

I've found some info on it here

[Rick Bull]

Ah I see. That's pretty stupid of MS to leave a security flaw like that in there. Sounds like Mendhak's solution should work.

[DeadEyes]

That's pretty stupid of MS to leave a security flaw like that in there

yes, although maybe stupid should be replaced with typical.

Hopefully it should sort it out, it's not something that has to be changed for a while,
I got bugs of my own creation to sort out first

[mendhak]

Wow... I'm actually useful

[DeadEyes]

Originally posted by mendhak
Wow... I'm actually useful

Yes thank you; now don't go making a habit of it

[mendhak]

LOL

[Rick Bull]

Trust me, he won't