On Wed, 18 Oct 2000, Nick May wrote:
> I am curious as to the technical limitations (or deviations) of the docomo
> proxy/dns from what is available on the net. I am not sure what the RFCs
> say about the url I posted - but it works fine on the 'net...
Yes it is in the RFC and yes it is a security risk (but then
again, passing username and password in an url allways is).
http://www.faqs.org/rfcs/rfc2396.html
-cut-
3.2.2. Server-based Naming Authority
URL schemes that involve the direct use of an IP-based protocol to a
specified server on the Internet use a common syntax for the server
component of the URI's scheme-specific data:
<userinfo>@<host>:<port>
where <userinfo> may consist of a user name and, optionally, scheme-
specific information about how to gain authorization to access the
server. The parts "<userinfo>@" and ":<port>" may be omitted.
server = [ [ userinfo "@" ] hostport ]
The user information, if present, is followed by a commercial at-sign
"@".
userinfo = *( unreserved | escaped |
";" | ":" | "&" | "=" | "+" | "$" | "," )
Some URL schemes use the format "user:password" in the userinfo
field. This practice is NOT RECOMMENDED, because the passing of
authentication information in clear text (such as URI) has proven to
be a security risk in almost every case where it has been used.
-cut-
--
Mika Tuupola http://www.appelsiini.net/~tuupola/
Received on Wed Oct 18 17:03:35 2000