- From: <Jared_Rhine@hmc.edu>
- Date: Mon, 6 Mar 1995 11:53:42 -0500
- To: ietf-lists@proper.com (Paul Hoffman)
- Cc: uri@bunyip.com
PH == Paul Hoffman <ietf-lists@proper.com>
PH> I propose the following:
PH>
PH> ====================
PH> The "finger" URL has the form:
PH>
PH> finger://host[:port][/<request>]
PH>
PH> The <request> must conform with the RFC 1288 request format.
PH> A finger client could simply send the <request> to the host designated
PH> in the first part of the URL at the specified port after decoding any
PH> escaped characters.
PH> ====================
Seconded. I believe this is what we were looking for.
PH> For the security part, I would add:
PH>
PH> As explained in RFC 1738, URLs that use non-standard port numbers pose
PH> a potential security risk for users of those URLs. If a port other
PH> than 79 is specified in a finger URL, the finger client might warn the
PH> user or reject the URL altogether.
It might make sense to restrict the outgoing request to only a single line,
as I believe the finger protocol works (at least, I've never been able to
get a server to parse more than one line). This would reduce the
possibility of a port 25 (SMTP) spoof. Speaking of end-of-lines, does your
finger proposal specify how the <request> is terminated? Does the finger
protocol spec? Some language clarifying this issue should be in the finger
URL spec.
--
Jared_Rhine@hmc.edu | Harvey Mudd College | http://www.hmc.edu/~jared/home.html
"A pessimist is one who has been intimately acquainted with an optimist."
-- Elbert Hubbard
Received on Monday, 6 March 1995 11:54:39 UTC