Just to follow up on this discussion after actually *reading* the relevant
RFC:
hammer <[EMAIL PROTECTED]> wrote:
> "[EMAIL PROTECTED]" as valid, and consider "%1%2%3%4%5%@%7%8%9%10" evenly
> right as something completely different: which promptly then would
> not work; and could not work and is meant to choke when force-fed with
> it - and *that's* the point.
>
> Maybe the original definition of how to write URLs/URIs, written and
> aggreed upon long time ago, may have proven ambiguous; but there are
> common procedures to change standards. [...]
The standard IS to support the syntax:
http://user:passwd@host/url
I've got a password-protected web site (host) where (user) can log in using
(passwd). If I just go to http://host/url, I'm presented with a login to
authenticate. If I use the *STANDARD* syntax supported by the rfc, I can
skip that whole step. Whether or not saving passwords in cleartext is a good
idea is, of course, a whole different discussion. But in any case, this is
hardly a Microsoftie-ism.
The standard IS to support encoding parts of a URL using %xx where 'xx' is a
2 digit hex value. MS seems to have disabled this feature (along with the
decimal and hex equivalents) after spammers and the like used it as a means
to circumvent security. If this is the case, they erred on the side of
security. Reasonable I think, because I've yet to see any mainstream use of
encoding *addresses* in this manner. There may be a way to disable this
'fix' if it's offensive. (I haven't searched MS yet to verify this, but I
did install a security fix that addressed such URLs not too long ago.)
Having *actually read* the RFC, I then tried the following variations in
Netscape under Linux:
http://user:passwd@0xFFFFFFFF/url (where 0xFFFFFFFF is the hex equivalent of
my 32 bit IP address) ... and it worked.
http://user:passwd@123456 (where 123456 is the decimal equivalent of my 32
bit IP address) ... and it worked.
Interestingly, the %XX%XX%XX%XX did not work, so apparently both MSIE and NS
are equally 'broken' in this regard, at least if I'm reading the RFC
correctly.
- Bob
To unsubscribe from SURVPC send a message to [EMAIL PROTECTED] with
unsubscribe SURVPC in the body of the message.
Also, trim this footer from any quoted replies.
