finger, again

Jared_Rhine@hmc.edu
Mon, 6 Mar 1995 11:53:42 -0500


Date: Mon, 6 Mar 1995 11:53:42 -0500
Message-Id: <199503061653.LAA20646@aslan.math.hmc.edu>
From: Jared_Rhine@hmc.edu
To: ietf-lists@proper.com (Paul Hoffman)
Cc: uri@bunyip.com
Subject: finger, again

PH == Paul Hoffman <ietf-lists@proper.com>

  PH> I propose the following:
  PH> 
  PH> ====================
  PH> The "finger" URL has the form:
  PH> 
  PH>      finger://host[:port][/<request>]
  PH> 
  PH> The <request> must conform with the RFC 1288 request format.
  PH> A finger client could simply send the <request> to the host designated
  PH> in the first part of the URL at the specified port after decoding any
  PH> escaped characters.
  PH> ====================

Seconded.  I believe this is what we were looking for.

  PH> For the security part, I would add:
  PH> 
  PH> As explained in RFC 1738, URLs that use non-standard port numbers pose
  PH> a potential security risk for users of those URLs. If a port other
  PH> than 79 is specified in a finger URL, the finger client might warn the
  PH> user or reject the URL altogether.

It might make sense to restrict the outgoing request to only a single line,
as I believe the finger protocol works (at least, I've never been able to
get a server to parse more than one line).  This would reduce the
possibility of a port 25 (SMTP) spoof.  Speaking of end-of-lines, does your
finger proposal specify how the <request> is terminated?  Does the finger
protocol spec?  Some language clarifying this issue should be in the finger
URL spec.

-- 
Jared_Rhine@hmc.edu | Harvey Mudd College | http://www.hmc.edu/~jared/home.html

"A pessimist is one who has been intimately acquainted with an optimist."
        -- Elbert Hubbard