--- "Roy T. Fielding" <[EMAIL PROTECTED]> wrote:
> >I've looked at RFCs 2617 (HTTP Auth), 1738 (URLs) and 2616 (HTTP 1.1).
>
> The relevant spec is RFC 2396. The slash should be encoded within
> the URL and decoded by the library before being used as a password.
Mhmmm. 2396 is similar to 1738 -- nowhere does it say explicitly that http
URLs can have userid:password in them.
People (like netscape and LWP) have implemented this anyway.
> As I recall, Netscape and MSIE had various problems with encoded
> passwords in URLs,
Netscape seems to work fine (see my previous message), and IE5/Mac seems to
work okay, too.
> and they are a bad idea in general for security
> reasons, so don't count on them as a cross-platform solution.
I know. :-)
My point is no whether they are a good or bad idea, but merely that LWP only
supports userids with unencoded characters. It doesn't decode %2F to /
(before base64 encoding it), for example.
Paul
__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
