-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan Smith wrote: > Robert Swiecki wrote: > > The second one is based on the http URI scheme which allows embedding >> user/password parameters into it, i.e. http://user:password@xxxxxxxxxxx >> Such parameters can contain whitespaces, so the attack vector is quite >> obvious. > >> http://alt.swiecki.net/konq3.html > > This does interesting things to firefox as well. Specifically, it hangs > seemingly indefinably (with no cpu utilization). Tested with firefox-2.0.0.6 on > Foresight Linux (firefox=/foresight.rpath.org@fl:1-devel//1/2.0.0.6-1-1). er, spoke too soon. It actually just presents a dialog box that doesn't let you choose an option (to continue logging in or not). What I was seeing was firefox not letting me do anything until I chose one of the non-existent options. Killing the dialog box makes the firefox session resume normally. Apparently this dialog-issue was fixed in trunk (for 3.x) but not in 2.x. Thanks to Adam Guthrie from Mozilla for helping figure that one out. smithj -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (GNU/Linux) iD8DBQFGt6/X0e1Yawpq2XMRAghuAKC7QJIkAoJmueJOU1u6DOzFCJOf9ACgyhrk A77j6xRZJwyhh99rreUnOLo= =aBJN -----END PGP SIGNATURE-----
