[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] another product affected by recent MS IE '@' patch
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] another product affected by recent MS IE '@' patch
- From: Nick FitzGerald <nick@virus-l.demon.co.uk>
- Date: Mon, 09 Feb 2004 10:42:18 +1300
mescsa <mescsa@yahoo.com> to me:
> > I don't know what you've been
> > smoking/drinking/whatever, but get off it
> > and go read the relevant RFCs -- 1945 & 2616. Do
> > _NOT_ be misled by
> > RFC 2396 -- it is relevant, but largely for the
> > parts of a URI's
> > general form that are specifically negated in the
> > other RFCs.
>
> Can you give any hint where to find this vital
> information within RFC 2616? I'm misled, too.
Section 3.2.2:
http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
You then have to refer back to RFC 2396 -- coincidentally also section
3.2.2 of that RFC -- for the definitions of the component parts "host"
and "port" ("abs_path", etc are irrelevant to this discussion and
defined in other sections of 2396).
There you will see that "host" is a sub-part of the "hostport" part of
the "server" component of generic URIs:
server = [ [ userinfo "@" ] hostport ]
hostport = host [ ":" port ]
and, most importantly, you should note that the "userinfo" part is
_outside_ the definition of "hostport", and thus outside the "host"
part. Ergo, HTTP URLs are explicitly (and presumably deliberately)
defined to _NOT_ support "userinfo" data so any implementation that
does is non-compliant.
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html