- From: Paul Hoffman <ietf-lists@proper.com>
- Date: Tue, 14 Feb 1995 10:09:37 -0700
- To: uri@bunyip.com
>1. always interpret the result as plain text; we basically > decided that allowing embedded html and friends was just > plain silly, tho tempting This is covered in the security section of the finger RFC (1288), and I'll refer the reader to that. >2. don't forget to support the /W option (sec 2.5.4 of RFC1288) Right. >As to finger:user@host or finger://user@host -- >Don't forget that there may be 2 hosts involved, >the @host part and the host you actually connect to, >they needn't be the same. > >So, you may want- > finger://host1/[W/]user[@host2] Actually, after looking at section 3.1 of RFC 1738, I decided not to use the "common Internet scheme syntax" at all since finger doesn't match most of the parts. That is, if you specify the user and host, there is no <url-path>. Your form above goes against the intent of the common scheme, I believe, and I think it is better to just let the user specify the finger request as they would on a command-line client. Thus, I'm going with the quite simple format "finger:<request>". The client passes the whole request (after decoding spaces and slashes) to the finger host. >As to security, don't allow ports other than the >default and don't transmit CR's or LF's. Right on both counts.
Received on Tuesday, 14 February 1995 13:09:30 UTC