[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] another product affected by recent MS IE '@' patch
- To: Nick FitzGerald <nick@virus-l.demon.co.uk>
- Subject: Re: [Full-Disclosure] another product affected by recent MS IE '@' patch
- From: Guido van Rooij <guido@gvr.org>
- Date: Mon, 9 Feb 2004 12:59:19 +0100
On Mon, Feb 09, 2004 at 10:42:18AM +1300, Nick FitzGerald wrote:
> Section 3.2.2:
>
> http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
>
> You then have to refer back to RFC 2396 -- coincidentally also section
> 3.2.2 of that RFC -- for the definitions of the component parts "host"
> and "port" ("abs_path", etc are irrelevant to this discussion and
> defined in other sections of 2396).
>
> There you will see that "host" is a sub-part of the "hostport" part of
> the "server" component of generic URIs:
>
> server = [ [ userinfo "@" ] hostport ]
>
> hostport = host [ ":" port ]
>
> and, most importantly, you should note that the "userinfo" part is
> _outside_ the definition of "hostport", and thus outside the "host"
> part. Ergo, HTTP URLs are explicitly (and presumably deliberately)
> defined to _NOT_ support "userinfo" data so any implementation that
> does is non-compliant.
Following the same reasoning, the HTTP URLs are also "deliberately" defined
to not support port numbers. I fail to believe that this was intentional.
-Guido
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html