Re: gopher URLs (was Re: how to make progress ...)

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Alexander Dupuy: "Re: how to make progress on the URL document"
• Previous message: Michael Mealling: "URC functional requirements list is ready..."
• Maybe in reply to: Keith Moore: "gopher URLs (was Re: how to make progress ...)"
• Next in thread: Tim Berners-Lee: "Re: gopher URLs (was Re: how to make progress ...)"

Date: Thu, 24 Mar 1994 21:20:21 +0100

Message-Id: <9403242020.AA29581@dxmint.cern.ch>

From: hallam@alws.cern.ch

Subject: Re: gopher URLs (was Re: how to make progress ...)

>From: DXMINT::"<mpm@boombox.micro.umn.edu>"

>You could say that clients should reject the Gopher URL as bogus if within the
>selector string section of the Gopher URL's parameter package, there is a coded
><return> or <linefeed>... but a better way of dealing with this would be to
>say that all clients should reject all URLs that point at the well-known port
>for sendmail. This would handle the potential problem for all protocols that
>allow specifying a port number and send arbitrary information at the port.

The problem is that there are quite a few ports that you can write to and
cause trouble.

Along with sendmail there is ftp which is potentially a far worse hole. You
could even go so far as rlogin. If you are going to close off ports then
the only sensible way would be to forbid any access to the reserved port numbers
except by the `approved' protocol. This then has the difficulty that there are
often good reasons to run servers on a non-standard port under 1024.

Phill Hallam-Baker

• Next message: Alexander Dupuy: "Re: how to make progress on the URL document"
• Previous message: Michael Mealling: "URC functional requirements list is ready..."
• Maybe in reply to: Keith Moore: "gopher URLs (was Re: how to make progress ...)"
• Next in thread: Tim Berners-Lee: "Re: gopher URLs (was Re: how to make progress ...)"