possibly damaging remote operation to occur. The unsafe URL is
typically constructed by specifying a port number other than that
reserved for the network protocol in question. The client
unwittingly contacts a server which is in fact running a different
protocol. The content of the URL contains instructions which when
interpreted according to this other protocol cause an unexpected
operation. An example has been the use of gopher URLs to cause a rude
message to be sent via a SMTP server. Caution should be used when
using any URL which specifies a port number other than the default
for the protocol, especially when it is a number within the reserved
space.
Care should be taken when URLs contain embedded encoded delimiters
for a given protocol (for example, CR and LF characters for telnet
protocols) that these are not unencoded before transmission. This
would violate the protocol but could be used to simulate an extra
operation or parameter, again causing an unexpected and possible
harmful remote operation to be performed.
RFC 1738 Uniform Resource Locators (URL) December 1994
The use of URLs containing passwords that should be secret is clearly
unwise.
7. Acknowledgements
This paper builds on the basic WWW design (RFC 1630) and much
discussion of these issues by many people on the network. The
discussion was particularly stimulated by articles by Clifford Lynch,
Brewster Kahle [10] and Wengyik Yeong [18]. Contributions from John
Curran, Clifford Neuman, Ed Vielmetti and later the IETF URL BOF and
URI working group were incorporated.
Most recently, careful readings and comments by Dan Connolly, Ned
Freed, Roy Fielding, Guido van Rossum, Michael Dolan, Bert Bos, John
Kunze, Olle Jarnefors, Peter Svanberg and many others have helped
refine this RFC.
RFC 1738 Uniform Resource Locators (URL) December 1994
APPENDIX: Recommendations for URLs in Context
URIs, including URLs, are intended to be transmitted through
protocols which provide a context for their interpretation.
In some cases, it will be necessary to distinguish URLs from other
possible data structures in a syntactic structure. In this case, is
recommended that URLs be preceeded with a prefix consisting of the
characters "URL:". For example, this prefix may be used to
distinguish URLs from other kinds of URIs.
In addition, there are many occasions when URLs are included in other
kinds of text; examples include electronic mail, USENET news
messages, or printed on paper. In such cases, it is convenient to
have a separate syntactic wrapper that delimits the URL and separates
it from the rest of the text, and in particular from punctuation
marks that might be mistaken for part of the URL. For this purpose,
is recommended that angle brackets ("<" and ">"), along with the
=12= |
