JTK wrote: >> On Thursday 27 December 2001 04:36 am, JTK wrote: >> >>>> Huh? >>>> The problem are not invalid URLs, they are valid URLs; >>>> >>> Nonono, they're invalid - they contain linefeeds etc which are >>> specifically forbidden by whatever the official URL spec is. This was >>> all gone over in excruciating detail and I'm sure all the sad details >>> are Googleable. >>> >> >> No, the URL contains no linefeeds: >> http://foo:79/ >> >> That's it. It wasn't even a POST, but even it were, there wouldn't be >> any linefeeds in that URL either. >> > > > Right, but a *malicious* one would have to. By parsing the URL > properly, a malformed URL (which yours is *not*) would be rejected, and > properly-formed URLS (which yours *is*) would work fine, regardless of > the port. But instead Mozilla's "solution" is to just block all access > to particular ports, regardless of whether the URL is valid or not. >
AFAIK the urlparser (nsStandardURL) drops every \r \t and \n it encounters in URLs. > Now this is admittedly far down the list of Mozilla's defects > > (as far as number of people affected; I'm sure to you and a relatively > small %tage of others this could be a major PITA), > > but it just goes to show you the overall lack of design forthought > pervasive to the project. > Andreas
