Full Disclosure mailing list archives
Re: another product affected by recent MS IE '@' patch
From: Guido van Rooij <guido () gvr org>
Date: Mon, 9 Feb 2004 12:59:19 +0100
On Mon, Feb 09, 2004 at 10:42:18AM +1300, Nick FitzGerald wrote:
Section 3.2.2:
http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
You then have to refer back to RFC 2396 -- coincidentally also section
3.2.2 of that RFC -- for the definitions of the component parts "host"
and "port" ("abs_path", etc are irrelevant to this discussion and
defined in other sections of 2396).
There you will see that "host" is a sub-part of the "hostport" part of
the "server" component of generic URIs:
server = [ [ userinfo "@" ] hostport ]
hostport = host [ ":" port ]
and, most importantly, you should note that the "userinfo" part is
_outside_ the definition of "hostport", and thus outside the "host"
part. Ergo, HTTP URLs are explicitly (and presumably deliberately)
defined to _NOT_ support "userinfo" data so any implementation that
does is non-compliant.
Following the same reasoning, the HTTP URLs are also "deliberately" defined to not support port numbers. I fail to believe that this was intentional. -Guido _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- another product affected by recent MS IE '@' patch martin f krafft (Feb 08)
- Re: another product affected by recent MS IE '@' patch Nick FitzGerald (Feb 08)
- Re: another product affected by recent MS IE '@' patch mescsa (Feb 08)
- Re: another product affected by recent MS IE '@' patch Nick FitzGerald (Feb 08)
- Re: another product affected by recent MS IE '@' patch Guido van Rooij (Feb 09)
- Re: another product affected by recent MS IE '@' patch Guido van Rooij (Feb 09)
- Re: another product affected by recent MS IE '@' patch mescsa (Feb 09)
- Exclusive: Windows 2000 & Windows NT 4 Source Code Leaks jB (Feb 12)
- Re: another product affected by recent MS IE '@' patch mescsa (Feb 08)
- Re: another product affected by recent MS IE '@' patch Nick FitzGerald (Feb 08)
- <Possible follow-ups>
- RE: another product affected by recent MS IE '@' patch David Farinic (Feb 09)
- RE: another product affected by recent MS IE '@' patch Darren Bennett (Feb 09)
- RE: another product affected by recent MS IE '@' patch Brad Griffin (Feb 09)
