Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")
Are there similar bugs in the Windows CE counterparts of Outlook, Outlook
Express and Internet Explorer? How much of the codebase is the same?
[email]email@example.com[/email] (Kee Hinckley) wrote in message news:<bfubir$k19$1@FreeBSD.csie.NCTU.edu.tw>...[color=blue]
> At 8:35 PM +0200 7/25/03, Denis Jedig wrote:[color=green]
> >Internet Explorer seems to take no offense on Content-Types either -
> >text/plain from a web server is happily rendered as HTML, if it
> >contains valid tags.[/color]
> It has long been a standard assertion that programs should produce
> standard-complaint protocols, but be lenient in accepting data
> contrary to the standard. Microsoft has taken this one step further.
> In addition to attempting (not unreasonably) to try and guess what
> the user is trying to do, they've written code that tries to guess
> what a remote client or server is trying to do. I think a history of
> Microsoft security holes clearly shows that this is *not* an
> appropriate programming practice. The acceptance of incorrect data
> makes security scanning by intermediate parties extremely difficult.
> Attempting to "correct" for incorrect remote behavior benefits
> nobody. It encourages programs and people to generate incorrect
> code, and it opens up security holes when by the standard there ought
> to be none. We've seen this time after time in things like HTML code
> embedded in JPEG comments, decimal IP addresses using intentional
> overflows, and a plethora of other cases. Policies that make sense
> in dealing with end user actions can be deadly when used with remote
> standards and protocols.
> (Of course this policy also has the side effect of making it
> extremely difficult for smaller players to compete with the dominant
> one, since they have to be bug-for-bug compatible.)[/color]