Re: [xml] Two bugs in nanoftp.c in libxml2-2.4.10.

From: Daniel Veillard <veillard redhat com>
To: robert xml 00008 org
Cc: Prof Brian Ripley <ripley stats ox ac uk>, xml gnome org
Subject: Re: [xml] Two bugs in nanoftp.c in libxml2-2.4.10.
Date: Tue, 20 Nov 2001 03:53:32 -0500

On Tue, Nov 20, 2001 at 09:45:20AM +0100, robert xml 00008 org wrote:

 >I don't, but this came from a user's example and it seems widely
 >supported.

Also see RFC1738, 3.1.


  Okay, though that section is obsoleted by 2396.
RFC 2396 actually states the following in 3.2.2:

-------------
Some URL schemes use the format "user:password" in the userinfo
field. This practice is NOT RECOMMENDED, because the passing of
authentication information in clear text (such as URI) has proven to
be a security risk in almost every case where it has been used.
-------------

  I was wondering if I should update the URI handling code to
make the direct parsing of the passord field. Considering this
I prefer to keep it FTP specific, the application needing to
extract the passwd field should be able to do this if required from
the userinfo field at minimal costs.

Daniel

-- 
Daniel Veillard      | Red Hat Network https://rhn.redhat.com/
veillard redhat com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/

References:
- Re: [xml] Two bugs in nanoftp.c in libxml2-2.4.10.
  - From: Daniel Veillard
- Re: [xml] Two bugs in nanoftp.c in libxml2-2.4.10.
  - From: Prof Brian Ripley
- Re: [xml] Two bugs in nanoftp.c in libxml2-2.4.10.
  - From: robert

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]