Re: Revised Internet-Draft: finger URL

Andrew McRae (mcrae@elmer.harvard.edu)
Mon, 27 Feb 1995 16:46:41 -0500 (EST)


Date: Mon, 27 Feb 1995 16:46:41 -0500 (EST)
From: Andrew McRae <mcrae@elmer.harvard.edu>
To: David Robinson <drtr1@cam.ac.uk>
Cc: uri@bunyip.com
Subject: Re: Revised Internet-Draft: finger URL
In-Reply-To: <m0rj9Bp-0007aQC@grus.cus.cam.ac.uk>
Message-Id: <Pine.SUN.3.91.950227152017.16669B-100000@elmer>

Hi, all.
Topics: (a) /W
        (b) "host:port" and security

(a) On the subject of "/W":
On Mon, 27 Feb 1995, David Robinson wrote:
> Wouldn't
>    finger://host2/user;W
> or
>    finger://host2/user;/W
> Be more in keeping with the generic URL syntax?

Pedantically speaking, the generic URL syntax just says that schemes may 
reserve ";", not that it has any particular meaning.

Larry Masinter mentioned at one point (maybe more than one) that he was
thinking about use of finger: URLs for whois++. If it would be useful for
that purpose to have ";" reserved (so that one could do with it the kinds
of thing it does in the FTP, Prospero, etc. URL schemes) then it might be
worthwhile: otherwise there doesn't seem to be much to be gained by
this.

(b) Paul Hoffman wrote:
> Also, I would like to see discussion about allowing host:port in this
> syntax. Should it be allowed, even though RFC 1288 says only serve on
> port 79? Are the security issues raised by forcing Internet users to
> know about special ports worth the flexibility of allowing this?

OK, I'll bite. Playing devil's advocate:

"host:port" should be allowed, for the following reasons:

* It creates no new security problems, because anything that could be
done with
    finger://host:port/evil_string
can already be done with
    gopher://host:port/0evil_string

* People writing software that resolves finger: URLs are almost certainly
writing software that resolves other IP-based URL schemes as well. Given
that, they're likely to implement "host:port" for finger: URLs anyway,
because they'll have the code in place for it. When it's pointed out to
them that this is illegal, they'll just grumble something about the
"standards people" being "out of touch with the real world". 

* Trying to restrict the power of a locator syntax in order to guard
against malicious people arranging to send arbitrary text strings to
arbitrary ports is a waste of time. It's much too late in the game for
that. Restricting the string to a single CRLF-terminated line of text 
eliminates most of the interesting security problems, anyway.

Fire away...

Andrew.
--
Andrew McRae  <andrew_mcrae@harvard.edu>