TriNetre - Archive for February 05, 2004

(no longer updated)

« February 04, 2004 | Main | February 07, 2004 »


February 05, 2004
My GnuPG key
[Misc.] @ 01:02 PM

Starting yesterday, I will be ClearSigning all my emails. You can get my GnuPG key at the MIT Key Server or locally. Use this key to verify my signature or encrypt data for me.

Link | Comments (0) |


Remove bug by discontinuing feature support!
[Software] @ 10:55 AM

So you have a bug in the implementation of a feature in your software, a feature that is part of an RFC specification. What do you do? Well, if you are Microsoft, one of the first options would be to discontinue support for the feature!

Section 3.2.2 (Server-based Naming Authority) of RFC 2396 states:

URL schemes that involve the direct use of an IP-based protocol to a specified server on the Internet use a common syntax for the server component of the URI's scheme-specific data:

<userinfo>@<host>:<port>

where <userinfo> may consist of a user name and, optionally, scheme- specific information about how to gain authorization to access the server.

This feature was used, sometimes for fun, sometime to create havoc for users. For example refer to an old (2001) Kuro5hin story of mine. The browser makers realised this and added support to let the user know that if one follows a URL like "http://www.wingtiptoys.com@example.com", you are actually following a link to "example.com" and not "www.wingtiptoys.com". Opera used the best workaround (IMO) to pop up a box telling the user that he is using a username "www.wingtiptoys.com" to access site "example.com". The user had to click OK to proceed. This was a great way to preserve the standard and security. Internet Explorer took the easy way out. They were able to display "example.com" in the address bar. As stated in Microsoft Knowledge Base Article - 834489

Internet Explorer 6 Service Pack 1 (SP1) and Internet Explorer 6 for Windows Server 2003 only display "http://example.com" in the Address bar. However, earlier versions of Internet Explorer display "http://www.wingtiptoys.com@example.com" in the Address bar.


And they (and we) though that was it!

But with Microsoft, things are never that clean. Soon a bug was found by which you could trick the IE browser to show "www.wingtiptoys.com" in the Address bar (as well as status bar), even IE 6! This was done by inserting a '%00' or '%01' just before the '@example.com'. So if there was a URL coded as 'http://www.wingtiptoys.com%00@example.com', the supposedly robust IE would display www.wingtiptoys.com in the Status bar as well as Address bar! Go ahead, give it a try by putting your pointer over this URL. If you are using IE, the status bar will say 'http://www.wingtiptoys.com'. If you click on it, unless you have the latest specification-breaking patch from Microsoft, even the address bar will say 'http://www.wingtiptoys.com'. The actual site is srijith.net!

Other browsers handled this bug with varying degree of success. Opera as usual dealt with it the best. Pointing to the URL, the status bar will say the real thing - 'http://www.wingtiptoys.com%00@srijith.net', while clicking on it will pop up a warning stating that you are going to visit server srijith.net. Mozilla Firebird gets tricked in the first part. The status bar does display 'http://www.wingtiptoys.com', but if you click on it, the Address bar reveals the full URL 'http://www.wingtiptoys.com%00@srijith.net/'.

So guess how Microsoft engineers decided to overcome thing bug in IE? Well they decided

The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install the MS04-004 Cumulative Security Update for Internet Explorer (832894):

http(s)://username:password@server/resource.ext

In short, since they could not fix the damn bug, they decided to discontinue support for the specification in the RFC! How can a specification laid down by an RFC constitute an "Invalid syntax error"?


Link | Comments (0) |