Re: solution time for www/smtp hole

brian@eitech.com (Brian Smithson)

Mail folder: WWW Talk Jul-Oct 1993
Next message: Joe Germuska: "WYSIWYG Editors..."
Previous message: Tony Sanders: "Re: solution time for www/smtp hole "
References: Tony Sanders: "Re: solution time for www/smtp hole "

Date: Fri, 13 Aug 93 13:28:36 PDT
From: brian@eitech.com (Brian Smithson)
Message-id: <9308131328.ZM23612@eitech.com>
In-Reply-To: Tony Sanders <sanders@BSDI.COM>
        "Re: solution time for www/smtp hole" (Aug 13,  3:20pm)
References: <9308132020.AA19897@austin.BSDI.COM>
X-Mailer: Z-Mail (2.1.4 02apr93)
To: www-talk@nxoc01.cern.ch
Subject: Re: solution time for www/smtp hole
Status: RO

On Aug 13,  3:20pm, Tony Sanders wrote:
> 
> You can't look for returned strings because that's non-deterministic
> and doesn't solve the problem (as it's based on a timeout).
> 

Well, it's not as nice as one might like, but you end up dealing with
timeouts in the process of transacting with the protocol anyway.

> If gopher doesn't need newlines then it seems to me the best solution
> is to just truncate the URL at the first newline.

I like this better than port number exclusions/restrictions, but it too
is non-deterministic.  It works in the cases of SMTP and NNTP (as does
validating the service), but it's conceivable that some other service
could be maliciously invoked with a single-line command.

-- 
-Brian Smithson                                          brian@eitech.com
 Enterprise Integration Technologies                      +1 415 617 8009
 459 Hamilton Avenue, Palo Alto, CA 94301 USA         FAX +1 415 617 8019