| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Interesting side effect of the new IE patch rhetorical question <ypwhich@...com> wrote: > I *may* be wrong. But I do believe the "http://username:password@... " bit > has been around for some time. ... In the KB article describing this change Microsoft says it introduced handling of "userinfo" in HTTP[S] URLs in IE 3.0. That was what -- 1996 or 1997? Whatever, I think we'd agree that in computing or Internet terms that is a fair while ago... > ... I remember finding that out a long time ago, > which was convient in regards to browsing FTP sites which require a login/ > password. Was using Netscape Navigator Gold, mid 90s. > > I still have some of my old browsers, will install a few and test it out. As has been discussed (at length) in this and obviously related threads, the change in IE specifically affects HTTP and HTTPS URLs. IE's handling of FTP URLs is irrelevant as the "userinfo" syntax is allowed for such URLs and is not claimed to have been altered. Microsoft has simply, very belatedly, pulled this aspect of IE's behaviour into line with the standards that define what an HTTP[S] protocol handler should do. Regards, Nick FitzGerald
Powered by blists - more mailing lists