Internet Explorer URL Display problem
Randal, Phil
prandal at HEREFORDSHIRE.GOV.UK
Fri Dec 12 11:47:22 GMT 2003
Oops, egg on face time...
RFC 2396 (http://www.faqs.org/rfcs/rfc2396.html) generalises URIs.
Sorry for the noise,
Phil
---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Randal, Phil
> Sent: 12 December 2003 10:24
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Internet Explorer URL Display problem
>
>
> When in doubt, consult the RFCs. RFC 1738
> (http://www.faqs.org/rfcs/rfc1738.html)
> says:
>
> "3.3. HTTP
>
> The HTTP URL scheme is used to designate Internet resources
> accessible using HTTP (HyperText Transfer Protocol).
>
> The HTTP protocol is specified elsewhere. This specification only
> describes the syntax of HTTP URLs.
>
> An HTTP URL takes the form:
>
> http://<host>:<port>/<path>?<searchpart>
>
> where <host> and <port> are as described in Section 3.1. If :<port>
> is omitted, the port defaults to 80. No user name or password is
> allowed."
>
> Interesting! I wonder what would break if we were that strict?
>
> Cheers,
>
> Phil
>
> ---------------------------------------------
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > Behalf Of Antony Stone
> > Sent: 11 December 2003 15:42
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: Internet Explorer URL Display problem
> >
> >
> > On Thursday 11 December 2003 3:34 pm, Julian Field wrote:
> >
> > > At 15:27 11/12/2003, you wrote:
> > > >%0[0-9] would be better (or something like that).
> > >
> > > %[01][0-9a-fA-F]
> > > instead of
> > > %01
> > > perhaps?
> > >
> > > I would imagine that the guy who found this exploit tested
> > other characters
> > > too and found them not to be vulnerable. So %01 is probably
> > good enough.
> >
> > The report at http://www.secunia.com/advisories/10395
> > mentions that %00 at
> > least is also effective.
> >
> > Antony.
> >
> > --
> > If you want to be happy for an hour, get drunk.
> > If you want to be happy for a year, get married.
> > If you want to be happy for a lifetime, get a garden.
> >
> > Please
> > reply to the list;
> >
> > please don't CC me.
> >
>
More information about the MailScanner
mailing list