Bug or Security Feature in Server reply?

Frank Majewski (fmajewsk@awi-bremerhaven.de)
Thu, 11 Aug 1994 10:31:54 +0200


I don't know if this is the right place....

I have written a CGI-script (at server-side, of course) which will answer
*WHERE* the client can find some files at its *LOCAL* side
(YES, this seems to be undelightful: WHY does a client has to ask the
server (which is not a "file"-server ;-)) where to find a file at local
Well, because *REGARDING* to FORMS we don't have possibilities to
exec local script (shipped with the right parameter) at clientside...)

The CGI-script return an on_the_fly HTML with something like this:

<IMG ALIGN=MIDDLE ALT"the_local_GIF" SRC="file://localhost/../All_Pics/12.gif">

which should mean something like: go up one level of your current directory and
down to 'All_Pics' at your side (CD)

Passing this kind of HTML-code causes two tested clients (XMosaic 2.4 & MacWeb)
to look at server's URL (ie. its CGI-BIN-dir) for the file(s)!

You might say: "That's to be excepted, because the action-URL in the FORM becomes
the actual matching MAIN-URL!" but in my opinion this is a failure because *after*
starting the form you are not at server side any more but at client side (the
transmission has successfully ended), aren't you?

BTW: Saving the requested document and reloading local will work as supposed...

Any comments?

Frank Majewski