Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: another product affected by recent MS IE '@' patch

From: Guido van Rooij <guido () gvr org>
Date: Mon, 9 Feb 2004 12:59:19 +0100
On Mon, Feb 09, 2004 at 10:42:18AM +1300, Nick FitzGerald wrote:

Section 3.2.2:

   http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]

You then have to refer back to RFC 2396 -- coincidentally also section 
3.2.2 of that RFC -- for the definitions of the component parts "host" 
and "port" ("abs_path", etc are irrelevant to this discussion and 
defined in other sections of 2396).

There you will see that "host" is a sub-part of the "hostport" part of 
the "server" component of generic URIs:

   server        = [ [ userinfo "@" ] hostport ]

   hostport      = host [ ":" port ]

and, most importantly, you should note that the "userinfo" part is 
_outside_ the definition of "hostport", and thus outside the "host" 
part.  Ergo, HTTP URLs are explicitly (and presumably deliberately) 
defined to _NOT_ support "userinfo" data so any implementation that 
does is non-compliant.


Following the same reasoning, the HTTP URLs are also "deliberately" defined
to not support port numbers. I fail to believe that this was intentional.

-Guido

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: