Re: libwww-perl and proxies

Charles C. Fu (ccwf@klab.caltech.edu)
08 Dec 1998 19:19:05 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tim.Meadowcroft@westmerchant.co.uk: "HTTP tunnels and libwww-perl"
Previous message: Jeremy D. Impson: "Re: libwww-perl and proxies"
In reply to: Jeremy D. Impson: "Re: libwww-perl and proxies"

> On Thu, 3 Dec 1998, Bob Reveal wrote:
>> I am not under the impression that the
>> http://username:password@host.name/blah is valid "http 1.x protocol

The draft HTTP/1.1 spec doesn't say anything about this issue.
However, the recent RFC 2396 seems on point.  It says

    3.2.2. Server-based Naming Authority
    
       URL schemes that involve the direct use of an IP-based protocol
       to a specified server on the Internet use a common syntax for
       the server component of the URI's scheme-specific data:
    
	  <userinfo>@<host>:<port>
    
       where <userinfo> may consist of a user name and, optionally,
       scheme-specific information about how to gain authorization to
       access the server....
    
	  userinfo      = *( unreserved | escaped |
			     ";" | ":" | "&" | "=" | "+" | "$" | "," )
    
       Some URL schemes use the format "user:password" in the userinfo
       field. This practice is NOT RECOMMENDED, because the passing of
       authentication information in clear text (such as URI) has
       proven to be a security risk in almost every case where it has
       been used.

and

       It is clearly unwise to use a URL that contains a password
       which is intended to be secret. In particular, the use of a
       password within the 'userinfo' component of a URL is strongly
       disrecommended except in those rare cases where the 'password'
       parameter is intended to be public.

>> I believe the browsers normally take this request and convert it to
>> valid http 1.x protocol request which would be to strip out the
>> username:password from the above URL and send just the URL followed
>> by a header line that included the encoded username:password.

"Jeremy D. Impson" <jdimpson@source.syr.edu> writes:
> It may not be, but LWP and Netscape Navigator both understand it.

Hmm, some brief experimentation with Netscape shows that it indeed
tries to strip out the username, but not necessarily the password.
Also, Netscape doesn't handle all legal userinfo fields.  In
particular, it doesn't handle escaped characters, which makes it
impossible to use URLs with usernames having, for example, space
characters.

Usernames with escaped spaces would not be a problem if Netscape did
not have this "smart" behavior and instead simply passed the username
through "as is" as part of the URL.

>> Assuming this is correct, I would not think it would be wise to add
>> this to the core of the LWP library.

I agree.  I think the core LWP should not modify URLs unnecessarily.
Netscape's behavior is too high-level.

-ccwf

Next message: Tim.Meadowcroft@westmerchant.co.uk: "HTTP tunnels and libwww-perl"
Previous message: Jeremy D. Impson: "Re: libwww-perl and proxies"
In reply to: Jeremy D. Impson: "Re: libwww-perl and proxies"