Full Disclosure mailing list archives
Re: another product affected by recent MS IE '@' patch
From: Guido van Rooij <guido () gvr org>
Date: Mon, 9 Feb 2004 12:59:19 +0100
On Mon, Feb 09, 2004 at 10:42:18AM +1300, Nick FitzGerald wrote:
Section 3.2.2: http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] You then have to refer back to RFC 2396 -- coincidentally also section 3.2.2 of that RFC -- for the definitions of the component parts "host" and "port" ("abs_path", etc are irrelevant to this discussion and defined in other sections of 2396). There you will see that "host" is a sub-part of the "hostport" part of the "server" component of generic URIs: server = [ [ userinfo "@" ] hostport ] hostport = host [ ":" port ] and, most importantly, you should note that the "userinfo" part is _outside_ the definition of "hostport", and thus outside the "host" part. Ergo, HTTP URLs are explicitly (and presumably deliberately) defined to _NOT_ support "userinfo" data so any implementation that does is non-compliant.
Following the same reasoning, the HTTP URLs are also "deliberately" defined to not support port numbers. I fail to believe that this was intentional. -Guido _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- another product affected by recent MS IE '@' patch martin f krafft (Feb 08)
- Re: another product affected by recent MS IE '@' patch Nick FitzGerald (Feb 08)
- Re: another product affected by recent MS IE '@' patch mescsa (Feb 08)
- Re: another product affected by recent MS IE '@' patch Nick FitzGerald (Feb 08)
- Re: another product affected by recent MS IE '@' patch Guido van Rooij (Feb 09)
- Re: another product affected by recent MS IE '@' patch Guido van Rooij (Feb 09)
- Re: another product affected by recent MS IE '@' patch mescsa (Feb 09)
- Exclusive: Windows 2000 & Windows NT 4 Source Code Leaks jB (Feb 12)
- Re: another product affected by recent MS IE '@' patch mescsa (Feb 08)
- Re: another product affected by recent MS IE '@' patch Nick FitzGerald (Feb 08)
- <Possible follow-ups>
- RE: another product affected by recent MS IE '@' patch David Farinic (Feb 09)
- RE: another product affected by recent MS IE '@' patch Darren Bennett (Feb 09)
- RE: another product affected by recent MS IE '@' patch Brad Griffin (Feb 09)