firefox handling of apostrophe in www address?

Wed Jan 16 01:12:16 UTC 2008

On Tue, 2008-01-15 at 09:45 +0000, William John Murray wrote:
> My employers have just produced a WWW link with a name like:
>    "private.xx.yy/bad name/really bad name's.doc"

Basically, they've shot themselves in the foot with a really stupid
thing.  You can't just do as you please.  It doesn't matter how much
they dislike it, when you do dumb things, dumb things happen.

> If I click in firefox under fedora 8 I get a 404 for
>    "private.xx.yy/bad$%20name/really%20bad%20name"

What do you mean by "click"?  A link in a webpage?  If so, that's going
to be a HTML problem.

e.g. Example source for a link:  <a href="go-here.html">go here</a>

The quote marks around the URI can be single or double, and it uses the
ASCII apostrophe and ASCII quotes.  An apostrophe in the middle of a
link will upset the parsing of the attribute.

If the webserver allows the apostrophe to be used as just another
character in a filename, then the link in the page should be written
using %27 instead of ' in the HTML.  Likewise for the spaces being
written in the HTML as %20.

> If I type into the title bar
>  "private.xx.yy/bad$%20name/really%20bad%20name\'s.doc"
> openoffice opens a document containing: "500 internal server error"

If I type such an address into my browser, it looks for what I asked for
(the requested address remains "as is"), and I get a 404 if I don't have
such a file, or I get the file if it does exist.

The rules for what can go into a URI are different for what can go into
HTML, or how you handle it is different.  e.g. URIs can include the
ampersand character (&), it's used as a delimiter between parameters.
But in HTML it's the beginning of a character entity.  To use an & in an
address written in HTML to be sent as the & parameter separator, you
encode it as "&".  To use an & in an address written in HTML to be
sent as a & as a character in an address, you encode it as "%26".

A number of characters are reserved for special purposes in URIs, the
apostrophe is one of them.  Reserved doesn't necessarily mean forbidden,
but it may do, or the configuration of the server software might be the
deciding factor.

You have to know these rules when running a webserver.  If you don't,
then you've no business running one.

> If I use a certain other operating system, firefox translates the
> apostrophe into %27 and does get the file.

That would also be okay, so long as the apostrophe is a character in the
name, rather than something else (e.g. a parameter seperator).  Encoded
characters are equivelent to the actual character.

-- 
[tim at bigblack ~]$ uname -ipr
2.6.23.12-52.fc7 i686 i386

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.
________________________________________________________________

The sky is not falling!