On Fri, 2 Feb 2007, Daniel Beardsmore wrote:

> Um ... the first and only slash should be the root.

Wrong.

> For example, you don't write http://www.google.com// -- the first slash
> after the hostname is the root.

That is HTTP and not FTP, so the comparion is off.

> ftp://user:pass@server/
>
> you're not guaranteed to be at the root when you connect?

Indeed.

> Now, I tried it: you are correct. It's possible to set up the FTP client
> such that the URL's root is not the root of the log-in, so you can go to
> paths like ftp://user:pass@server/../../foo

In fact, in the enture *nix world you most often simply end up in your user's
home directory when you use URLs like ftp://user:pass@server/.

> However, putting that extra slash in the URL isn't a great security measure,
> as users can just bypass it.

In what way is a single URL secure or not?

> Anyone whose account is set up such that you can traverse below the root,
> has a rather poor FTP admin who should be taken out and shot :-P

Really? Again, most ftp servers out there makes you login in something like
/home/user and traversing to root from there is most commonly allowed.

This has at least been the case for the 15 years or so that I've used ftp.

> Well, these two are mostly equivalent:
>
> Google
> Google

Again totally irrelevant as those are HTTP and then you mix in HTML.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html