Re: solution time for www/smtp hole

Brian Smithson ([email protected])
Fri, 13 Aug 93 13:28:36 PDT


On Aug 13, 3:20pm, Tony Sanders wrote:
>
> You can't look for returned strings because that's non-deterministic
> and doesn't solve the problem (as it's based on a timeout).
>

Well, it's not as nice as one might like, but you end up dealing with
timeouts in the process of transacting with the protocol anyway.

> If gopher doesn't need newlines then it seems to me the best solution
> is to just truncate the URL at the first newline.

I like this better than port number exclusions/restrictions, but it too
is non-deterministic. It works in the cases of SMTP and NNTP (as does
validating the service), but it's conceivable that some other service
could be maliciously invoked with a single-line command.

-- 
-Brian Smithson                                          [email protected]
 Enterprise Integration Technologies                      +1 415 617 8009
 459 Hamilton Avenue, Palo Alto, CA 94301 USA         FAX +1 415 617 8019