Re: Finger URL

Marc VanHeyningen (mvanheyn@cs.indiana.edu)
Sun, 21 Aug 1994 22:05:05 -0500


Thus wrote:
>At 10:11 PM 8/21/94 +0200, Rob Raisch, The Internet Company wrote:
>>
>><sigh> This *has* been discussed before. To death, actually.
>>
>><finger://whitehouse.gov:25/\
>> HELO%20cracker.com%0D%0A\
>> MAIL%20FROM%3A%20some%20crazy%20mofo%0D%0A\
>
>
>so, that's why in the user section it sez-
> "Encoded NEWLINES are not permitted."

Indeed. When it was discussed before, it was acknowledged that
prohibiting newlines (by newline do you mean a CR, an LF, a CRLF, or
what?) did seem to address the currently known risks. I don't know
that anyone has done a thorough analysis of all of the hundreds of
Internet protocols in use to determine whether any of them have
potential security concerns from entries not containing newlines.

With finger, it's easier to deal with. Unlike gopher or http, nobody
runs finger daemons on ports other than 79. Just restrict
specification of other ports.

Eventually, reluctanty the idea of prohibiting newlines was
acknowledged even though it had the risk of becoming a permanent,
rather than an quick-and-dirty, solution. Some browsers don't even
implement that solution and still allow mail-forging.

At any rate, the specification needs to be a bit more explicit. How
does one specify indirect finger queries per section 2.4 of RFC 1288?
How about verbose queries via the /W token?

--
Marc VanHeyningen  <http://www.cs.indiana.edu/hyplan/mvanheyn.html>