Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Interesting side effect of the new IE patch

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 07 Feb 2004 02:16:29 +1300
rhetorical question <ypwhich () io com> wrote:


I *may* be wrong.  But I do believe the  "http://username:password@... " bit 
has been around for some time.  ...


In the KB article describing this change Microsoft says it introduced 
handling of "userinfo" in HTTP[S] URLs in IE 3.0.  That was what -- 
1996 or 1997?  Whatever, I think we'd agree that in computing or 
Internet terms that is a fair while ago...


...  I remember finding that out a long time ago, 
which was convient in regards to browsing FTP sites which require a login/
password.  Was using Netscape Navigator Gold, mid 90s.

I still have some of my old browsers, will install a few and test it out.


As has been discussed (at length) in this and obviously related 
threads, the change in IE specifically affects HTTP and HTTPS URLs.  
IE's handling of FTP URLs is irrelevant as the "userinfo" syntax is 
allowed for such URLs and is not claimed to have been altered.  
Microsoft has simply, very belatedly, pulled this aspect of IE's 
behaviour into line with the standards that define what an HTTP[S] 
protocol handler should do.  


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: