Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re (tilly) 1: Put name and password in URLs

by tilly (Archbishop)
on Aug 22, 2001 at 19:39 UTC ( [id://106996]=note: print w/replies, xml ) Need Help??


in reply to Put name and password in URLs

An addendum that I needed to look up. What do you do if the name or password contains special characters? Well the answer after reading RFC 1738 is that you just URI encode them. (Duh, I should have guessed.) You can do that with the URI::Escape module. Be warned, the default character set it escapes does not include @. Therefore you will want to use something like this: 
use URI::Escape qw(uri_escape);

# Takes a list of strings, returns them escaped for use in URLs.  In s
+calar
# context will only escape the first.
sub safe_uri_escape {
  wantarray
    ? map {uri_escape($_, "\\W")} @_
    : uri_escape(shift, "\\W");
}

[download]

Replies are listed 'Best First'.
Re: Re (tilly) 1: Put name and password in URLs
by vacant (Pilgrim) on Nov 10, 2003 at 05:15 UTC
    I realize this thread is over two years old, but it caught my attention because I have been looking into deobfuscation of evil URLs, and I believe this is not a good idea, particularly in a HTTP URL.

    This field (called "userinfo") is defined in the general URI format in RFC 2396, but it is not used in the HTTP URL fomat described in RFC 2616. Nonetheless, most browsers will transmit this field unchanged, and most web servers will ignore it, but supply it to a CGI program as part of the "environment" data. Its chief application is intentionally obscuring the identity of the URL. It is used mainly by fraudsters and spammers for that purpose.

    In addition, here is a quote from RFC 2396:

    "It is clearly unwise to use a URL that contains a password which is intended to be secret. In particular, the use of a password within the 'userinfo' component of a URL is strongly disrecommended except in those rare cases where the 'password' parameter is intended to be public."

[reply]
      While I grant you that this can be used by fraudsters for social engineering purposes, it has many more legitimate uses. The most common one that I have had is to simplify automation of fetching web pages for batch jobs. You don't have to rewrite a script that used LWP::Simple or that passes stuff to lwp-request, you just add stuff to the URL.

      While I can't say for sure what people around here have used it for, all of the comments that I have received suggest that they used it for exactly what I did.

[reply]

In Section Cool Uses for Perl

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://106996]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (6)
As of 2024-04-18 05:37 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found