On Feb 3, 2004, at 1:08 PM, Zac Elston wrote:
i have a url that is "http://username:[EMAIL PROTECTED]/path/file.pl?var1=foo
Ugh. This format of URL may no longer be usable. I just read that good 'old Microsoft is breaking RFCs for URLs which could make make your job hell if you are a web developer:
<http://www.infoworld.com/article/04/01/29/HNiechange_1.html>
"""...a recently-discovered flaw in the way that IE parses URLs allows scam artists to completely replace Web URLs that use the username:password@ formatting with a URL of their choosing, regardless of which Web page is actually displayed in IE. Microsoft was criticized in recent weeks for not moving to patch that vulnerability when it released its other January security updates.
Microsoft, like many other browser makers, based its support of the username:password@ syntax on Internet standards documents, such as Internet Engineering Task Force (IETF) documents RFC (Request For Comments)1738, which specifies how URLs on the Internet should be formatted, and RFC 2616 that specifies how HTTP URLs should be formatted, Fitzgerald said.
The change announced on Tuesday will violate some of those specifications, but benefit consumers, according to Russ Cooper, TruSecure Corp. Surgeon General and moderator of the NTBugtraq security discussion group.
"No doubt some who will cry foul...or sob because needed functionality is now gone or Web sites have to be recoded," Cooper wrote in a message posted to NTBugtraq Wednesday. "To them I say a big 'Too bad!'. The average user, the victim of phishing scams, isn't going to miss the functionality but will happily miss the scams."
That said, Microsoft should try to find a way to safely handle URLs with passwords in them, Cooper said."""
-- Alex Rice | Mindlube Software | http://mindlube.com
_______________________________________________ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
