Re: solution time for www/smtp hole (Brian Smithson)
Date: Fri, 13 Aug 93 13:28:36 PDT
From: (Brian Smithson)
Message-id: <>
In-Reply-To: Tony Sanders <sanders@BSDI.COM>
        "Re: solution time for www/smtp hole" (Aug 13,  3:20pm)
References: <9308132020.AA19897@austin.BSDI.COM>
X-Mailer: Z-Mail (2.1.4 02apr93)
Subject: Re: solution time for www/smtp hole
Status: RO
On Aug 13,  3:20pm, Tony Sanders wrote:
> You can't look for returned strings because that's non-deterministic
> and doesn't solve the problem (as it's based on a timeout).

Well, it's not as nice as one might like, but you end up dealing with
timeouts in the process of transacting with the protocol anyway.

> If gopher doesn't need newlines then it seems to me the best solution
> is to just truncate the URL at the first newline.

I like this better than port number exclusions/restrictions, but it too
is non-deterministic.  It works in the cases of SMTP and NNTP (as does
validating the service), but it's conceivable that some other service
could be maliciously invoked with a single-line command.

-Brian Smithson                                
 Enterprise Integration Technologies                      +1 415 617 8009
 459 Hamilton Avenue, Palo Alto, CA 94301 USA         FAX +1 415 617 8019