Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: another product affected by recent MS IE '@' patch

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 09 Feb 2004 10:42:18 +1300
mescsa <mescsa () yahoo com> to me:


I don't know what you've been
smoking/drinking/whatever, but get off it 
and go read the relevant RFCs -- 1945 & 2616.  Do
_NOT_ be misled by 
RFC 2396 -- it is relevant, but largely for the
parts of a URI's 
general form that are specifically negated in the
other RFCs.


Can you give any hint where to find this vital
information within RFC 2616? I'm misled, too.


Section 3.2.2:

   http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]

You then have to refer back to RFC 2396 -- coincidentally also section 
3.2.2 of that RFC -- for the definitions of the component parts "host" 
and "port" ("abs_path", etc are irrelevant to this discussion and 
defined in other sections of 2396).

There you will see that "host" is a sub-part of the "hostport" part of 
the "server" component of generic URIs:

   server        = [ [ userinfo "@" ] hostport ]

   hostport      = host [ ":" port ]

and, most importantly, you should note that the "userinfo" part is 
_outside_ the definition of "hostport", and thus outside the "host" 
part.  Ergo, HTTP URLs are explicitly (and presumably deliberately) 
defined to _NOT_ support "userinfo" data so any implementation that 
does is non-compliant.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: