[67150] in North American Network Operators' Group
Re: Latest IE patch breaking non username:password@encoded websites?
daemon@ATHENA.MIT.EDU (Scott Call)
Tue Feb 3 13:34:14 2004
Date: Tue, 3 Feb 2004 10:31:16 -0800 (PST)
From: Scott Call <scall@devolution.com>
To: <nanog@merit.edu>
In-Reply-To: <505376125.1075814423@[10.3.1.216]>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 3 Feb 2004, Jeff Workman wrote:
> My guess is that too many people were getting burned by URLs like this:
>
> http://www.microsoft.com@%77%77%77%2E%70%69%6D%70%77%6F%72%6B%73%2E%6F%72%67
>
> -Jeff
Right but the bug wasn't basic auth in a URL it was that the %01 character
stopped Outlook and IE from displaying the rest of the URL, so
http://www.ebay.com%01@boogeyman.gov/ would show just "www.ebay.com" in
both outlook and the URL bar.
The problem isn't the auth but the masking ability of the escaped
characters.
Oh well, one more standard "Embraced and Extended" by the beast....
-S
--
Scott Call Router Geek, ATGi, home of $6.95 Prime Rib
I make the world a better place, I boycott Wal-Mart
VoIP incoming: +1 360-382-1814
