Re: MS to stop allowing passwords in URLs

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 02/03/04

  • Next message: Francis Favorini: "RE: MS to stop allowing passwords in URLs" 
    Date: Tue, 3 Feb 2004 11:32:12 +0100
To: bugtraq@securityfocus.com

    On 2004-01-28 McAllister, Andrew wrote:

    [ MS about to invalidate usage of http://>:<pass>@<host> in IE ]

    > Anyone have any comments regarding legitimate uses of this syntax and
    > Microsoft removing it from their browser? (and presumably the OS since
    > the browser IS the OS).

    There is no legitimate use of this syntax and never was. Although
    RFC 2396 does specify a generic URI syntax allowing

      <user>:<pass>@<host>:<port>

    it expressly excludes those URLs whose syntax is specified in RFC 1738:

    | This document updates and merges "Uniform Resource Locators" [RFC1738]
    | and "Relative Uniform Resource Locators" [RFC1808] in order to define
    | a single, generic syntax for all URI. It excludes those portions of
    | RFC 1738 that defined the specific syntax of individual URL schemes;
    | those portions will be updated as separate documents, as will the
    | process for registration of new URI schemes.

    RFC 1738 clearly says:

    | An HTTP URL takes the form:
    |
    |     http://>:<port>/<path>?<searchpart>

    So do RFCs 1945 and 2616.

    Regards
    Ansgar Wiechers

  • Next message: Francis Favorini: "RE: MS to stop allowing passwords in URLs"

    Relevant Pages

    • Re: MS to stop allowing passwords in URLs
      ... Although that KB article refers the reader to RFC 2616 for further ... As RFC 2616 specifically covers the HTTP URL syntax in its section ... And perhaps MS removing this will pressure other browser developers to ...
      (Bugtraq)
    • RE: MS to stop allowing passwords in URLs
      ... released yesterday, MS04-040. ... This is also the first time they broke their ... now yields an "invalid syntax error". ... Click the applet and it opens a browser window with the ...
      (Bugtraq)
    • Re: FAQ Update 9.85 Dated 2007-08-31
      ... It results in implementations that branch, add a branch for each browser added to the 'supported' set, and fail to handle any browser encountered that are not known to the programmer. ... So JavaScripthas a syntax extension that recognises that a trailing comma in an object literal is not problematic and can be disregarded as a correctable mistake. ... It is unlikely that they would use that knowledge to declare for-in loops "broken" or attribute any consequences to "a faulty implementation of DontEnum. ...
      (comp.lang.javascript)
    • Re: MS to stop allowing passwords in URLs
      ... instance of IE as a browser object and use that format to login to a web site. ... >I personally use this syntax in only one production application, ... >relatively safe given the convenience it provides. ... Network Engineer ...
      (Bugtraq)
    • Re: Automatic file Upload / display response in browser
      ... >>> the response (html) is not shown in the browser! ... The RFC has examples of what ... >> a correct request should look like. ...
      (microsoft.public.inetsdk.programming.webbrowser_ctl)