Re: MS to stop allowing passwords in URLs

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 02/03/04

  • Next message: Francis Favorini: "RE: MS to stop allowing passwords in URLs"
    Date: Tue, 3 Feb 2004 11:32:12 +0100
    To: bugtraq@securityfocus.com
    
    

    On 2004-01-28 McAllister, Andrew wrote:

    [ MS about to invalidate usage of http://>:<pass>@<host> in IE ]

    > Anyone have any comments regarding legitimate uses of this syntax and
    > Microsoft removing it from their browser? (and presumably the OS since
    > the browser IS the OS).

    There is no legitimate use of this syntax and never was. Although
    RFC 2396 does specify a generic URI syntax allowing

      <user>:<pass>@<host>:<port>

    it expressly excludes those URLs whose syntax is specified in RFC 1738:

    | This document updates and merges "Uniform Resource Locators" [RFC1738]
    | and "Relative Uniform Resource Locators" [RFC1808] in order to define
    | a single, generic syntax for all URI. It excludes those portions of
    | RFC 1738 that defined the specific syntax of individual URL schemes;
    | those portions will be updated as separate documents, as will the
    | process for registration of new URI schemes.

    RFC 1738 clearly says:

    | An HTTP URL takes the form:
    |
    |
    http://>:<port>/<path>?<searchpart>

    So do RFCs 1945 and 2616.

    Regards
    Ansgar Wiechers


  • Next message: Francis Favorini: "RE: MS to stop allowing passwords in URLs"