Re: Predraft 1 for finger URL scheme

>1. always interpret the result as plain text; we basically
>   decided that allowing embedded html and friends was just
>   plain silly, tho tempting

This is covered in the security section of the finger RFC (1288), and I'll
refer the reader to that.

>2. don't forget to support the /W option (sec 2.5.4 of RFC1288)


>As to finger:user@host or finger://user@host --
>Don't forget that there may be 2 hosts involved,
>the @host part and the host you actually connect to,
>they needn't be the same.
>So, you may want-
>        finger://host1/[W/]user[@host2]

Actually, after looking at section 3.1 of RFC 1738, I decided not to use
the "common Internet scheme syntax" at all since finger doesn't match most
of the parts. That is, if you specify the user and host, there is no
<url-path>. Your form above goes against the intent of the common scheme, I
believe, and I think it is better to just let the user specify the finger
request as they would on a command-line client.

Thus, I'm going with the quite simple format "finger:<request>". The client
passes the whole request (after decoding spaces and slashes) to the finger

>As to security, don't allow ports other than the
>default and don't transmit CR's or LF's.

Right on both counts.

Received on Tuesday, 14 February 1995 13:09:30 UTC