It's long, I know, I'm sorry :(
Friday, November 29, 2002, 12:18:10 AM, you wrote:
JA> It's almost this kind of thinking (no offence) that starts getting
JA> programs in trouble. I know mailto: URLs won't cause any halm (unless
JA> you do permit certain headers to be set), but saying "well, just let
JA> this one slip a little" just starts to promote bad coding, and hence
JA> security bugs.
This doesn't promote bad coding at all, especially in this case.
In fact, most IE holes have nothing to do with not following official
standards (usually a buffer overflow or something related to security
zones and scripting). The cases which are involve proprietary
extensions added by MS themselves, not an effort to support ones in
wide use made by other people. MS has bad coding practice in general,
regardless of context, so trying to point one thing as being the
result of it seems a bit silly.
The "be lenient in what you accept, strict in what you send" is
the standard, widely accepted mentality for 99% software. djb's
software is the only software I can think of that doesn't, and it can
get away with it because it breaks very little software (if any). If
you've ever written server or certain client software you'll realize
that there are a) a lot of non-standard clients and servers and b) you
have to support them. I've encountered problems like this, thinking it
was a bug in my code, only to find out about some sort of
non-compliant support I needed to add to allow the software on the
other end to function properly (this is especially true on usenet).
Apache is a great example of software needing to support
non-compliant clients (see http://www.apacheweek.com/issues/01-03-02).
It will accept a variety of non-compliant inputs, I know because I've
actually tried (you might be surprised what you can get away with).
Likewise you could think of OpenSSH which is capable of emulating
(non-compliant) bugs in old ssh clients. This is also done with all
major browsers to accept non-compliant HTML (very very few webpages
have 100% compliant HTML). I wouldn't be surprised if The Bat! accepts
messages which are incorrectly encoded (like with MIME). I didn't
know this until now, but apparently that "be lenient ..." saying is
from the IETF according to that URL, meaning they acknowledge its
necessity.
JA> Plus the mailto: is follow standard RFC guidelines on
JA> correctly formatted URLs (you won't find a single website that can be
JA> served with a space in it, the server will convert the names to %20).
JA> Break it, and you might end up causing all kinds of issues.
This isn't breaking *anything*. This is about accepting a
non-compliant input, not producing a non-compliant output. This case
is also different than a url with spaces in that the HTTP protocol
relies on url having no spaces (because the space is used to delimit a
parameter that comes after it). With mailto it can easily be
interpreted without confusion. This is not to mention the fact that
the non-compliant mailto: is in such wide use that it's become an
unofficial standard (the RFC itself was made in 1998, longer after it
had already been in use).
JA> Saying that other clients (OE in your reference) interpret the mailto:
JA> correctly is incorrect. RFCs say, you *must* convert the special
JA> characters to their hex equivalent. Reading it in any other ways is
JA> wrong, no matter how you look at it.
It may be wrong from the standpoint of the RFC, but from a
intuitive standpoint (that of everyone who does it) it makes perfect
sense. It's not at all difficult to interpret as it was intended by
the author.
JA> I think RitLabs have done the correct thing in following the RFCs
JA> correctly. The more compliance you have with standards, the more
JA> likely you are to do well. Start changing things, or flexing the rules
JA> slightly, and you end up having all kinds of problems.
Actually it tends to be the opposite. If you don't support
non-compliant stuff you start breaking clients/servers and data ends
up getting misrepresented/misdisplayed. If software writers,
especially those who make web browsers didn't support non-compliant
stuff many pages wouldn't display quite right or not at all (yes, even
Opera does this). In fact, if you are so strict as to accept only
perfect compliance people probably would stop using your browser
because they would be limited to only those websites who bothered to
use the w3c validater (which is very few sadly). Besides, it IS just
mailto, you really aren't hurting anything.
________________________________________________
Current version is 1.61 | "Using TBUDL" information:
http://www.silverstones.com/thebat/TBUDLInfo.html
