Subject: bin/17142: Fingerd filters out international characters
To: None <firstname.lastname@example.org>
From: None <email@example.com>
Date: 06/02/2002 09:38:16
>Synopsis: Fingerd filters out international characters
>Arrival-Date: Sun Jun 02 06:39:00 PDT 2002
>Originator: Ben Wong
Georgia Institute of Technology
System: NetBSD hrududu.wongs.net 1.5 NetBSD 1.5 (HRUDUDU) #8: Tue May 15 04:47:24 EDT 2001 firstname.lastname@example.org:/usr/src/sys/arch/i386/compile/HRUDUDU i386
If a .plan file has international characters (e.g., latin1 or
unicode), the NetBSD finger daemon will clear the high-bit to make it
7-bit ASCII. RFC 1196 is quite clear on this point: characters between
128 and 255 are allowed for international data. It is up to the client
(finger) to filter out characters the terminal cannot (or should not)
* Create an 8-bit .plan file. Latin-1 is sufficient, but here's unicode:
echo "NetBSD \M-c\M^A\M-/\M-e\M^[\M-=\M-i\M^Z\M^[\M-g\M^Z\M^D\M-e\M^A\M-=\M-c\M^B\M^J\M-c\M^A\M-*\M-c\M^A\M^O\M-c\M^A\M-'\M-c\M^A\M^B\M-c\M^B\M^K" | unvis > ~/.plan
* Start up an xterm that can display unicode characters:
xterm -u8 -fn '-misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso10646-1'
* Turn on the fingerd in /etc/inetd.conf
* Try using finger to see the plan. It is mangled.
* Try using cat to see the plan. It works.
RFC 1196 recommends putting the filtering into the client instead of
the server. That way a user (or a sysadmin at an international site)
can choose to not filter the data.
RFC 1196: 3.3. Client security
It is expected that there will normally be some client program that
the user runs to query the initial RUIP. By default, this program
SHOULD filter any unprintable data, leaving only printable 7-bit
characters (ASCII 32 through ASCII 126), tabs (ASCII 9), and CRLFs.
This is to protect against people playing with terminal escape codes,
changing other peoples' X window names, or committing other dastardly
or confusing deeds. Two separate user options SHOULD be considered
to modify this behavior, so that users may choose to view
international or control characters:
- one to allow all characters less than ASCII 32
- another to allow all characters greater than ASCII 126
For environments that live and breathe international data, the system
administrator SHOULD be given a mechanism to enable the latter option
by default for all users on a particular system. This can be done
via a global environment variable or similar mechanism.