Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Winnt/Win2k Vuln ?

From: "David Schwartz" <davids () webmaster com>
Date: Sat, 11 Aug 2001 21:51:13 -0700

Louis-Eric Simard wrote:


The major distinction here should one of action-domain constraints;


        Exactly.


As we are limited by the fact that the shoddy name space is now
prevalent,
then context needs to be taken into account. As one types in a
URL without
specifying the underlying protocol (http:// or file://), there
should be no
ambiguity that the expected protocol is http, just as we do not naturally
expect file system requests to be carried over the web. The fix is in
filling-in missing protocol details, within logical usage
contexts, before
the request allocator gets a chance to goof it up.


        For the record, I have submitted complaints/requests to the coders of both
IE and Netscape arguing that, for example, 'ftp.microsoft.com' should be
interpreted as 'http://ftp.microsoft.com&apos; and not 'ftp://ftp.microsoft.com&apos;
(and analogously, the brower should not try to figure out what the user
meant (ESP?) but should have a consistent default). I was basically laughed
at by both Microsoft and Netscape.

        I don't think it's unreasonable to have different operating modes where
different defaults take place. For example, when acting as a 'file manager',
file:// can be the default protocol. However, IMO, in ALL cases, the
fully-qualified URL of the site/file you wind up at MUST be shown to the
user. It is a serious error to abbreviate the displayed URL as IE does. I do
not believe Netscape does this.

        DS
Previous By Date Next
Previous By Thread Next

Current thread: