Re: MS announces change in IE behavior

From: Parcifal Aertssen (parcifal_at_AQTRONIX.COM)
Date: 01/29/04

  • Next message: Russ: "Administrivia #30588: MyDoom Survey" 
    Date:         Thu, 29 Jan 2004 00:45:46 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    >No doubt some who will cry foul, "Hey, you're breaking the RFC",

    Not at all, the RFC specification says that http authentication is not
    allowed in a http url, it is allowed in a generic URI but not for HTTP urls,
    this is an exception!
    RFC 1738 - Page 8

    3.3. HTTP

       The HTTP URL scheme is used to designate Internet resources
       accessible using HTTP (HyperText Transfer Protocol).

       The HTTP protocol is specified elsewhere. This specification only
       describes the syntax of HTTP URLs.

       An HTTP URL takes the form:

          http://>:<port>/<path>?<searchpart>

       where <host> and <port> are as described in Section 3.1. If :<port>
       is omitted, the port defaults to 80. No user name or password is
       allowed.

    So, Microsoft is in fact sticking to the RFC this time, something they
    should have done long time ago. I have been blocking this "http
    authentication" in every mail I received on my domain for over a year, but
    when I saw the IE url obfuscation issue a few weeks back, I was amased that
    nobody knew this, so I thought I was wrong and that's why I didn't reply.
    Microsoft still gets a "D" from me for this big mess!

    Regards,
    Parcifal Aertssen
    AQTRONIX
    http://www.aqtronix.com/

    -----
    NTBugtraq Editor's Note:

    I'm looking for an event at which I can speak in Australia, specifically near Brisbane, as close to Christmas as possible. Anyone interested in flying me down under at that time, please contact me at Russ.Cooper@rc.on.ca
    -----

  • Next message: Russ: "Administrivia #30588: MyDoom Survey"

    Relevant Pages