Subject: Re: finger
To: Jun-ichiro itojun Hagino <email@example.com>
From: Kimmo Suominen <firstname.lastname@example.org>
Date: 09/07/2002 22:33:20
Please show what the problem is, so we can try to fix it.
Why does the server need to know the client's character set encoding? I
think the client should still check the characters for validness, as we
are alredy doing with isprint(3). A malicious server could ignore the
character set reported by the client (or even worse, use it for choosing
when to attack).
It is not any more correct to modify characters that are valid for the
display of the user (as indicated by the user through choosing a locale
in his/her environment).
| From: Jun-ichiro itojun Hagino <email@example.com>
| Date: Sun, 08 Sep 2002 11:26:02 +0900
| >I'm not proposing a protocol change to finger. My modification did not
| >change the protocol at all.
| >My change was to make finger behave more like vi and less, where setting
| >the locale will have the expected result of displaying characters that
| >are valid in that locale. Invalid characters will not be displayed.
| >You were proposing a protocol change, and I my reply was that my change
| >does not prevent protocol enhancements in any way.
| what i'm pointing out is, without protocol change, it is not safe to
| permit finger/fingerd to generate 8bit output, since peers have no
| knowledge in the peer's encoding. what linux/whatever is doing is
| not right.