Subject: Re: finger
To: None <tech-userlevel@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-userlevel
Date: 09/12/2002 12:43:03
[ On Thursday, September 12, 2002 at 11:40:43 (+0200), der Mouse wrote: ]
> Subject: Re: finger
>
> > Please just make finger{,d} pass safe subset of 8bit [...]
> 
> Part of the trouble is, fingerd has no idea what "safe subset of 8bit"
> is for the client.  It could pass anything and let the client deal, but
> that can break clients that aren't smart enough to filter.

Exactly.  Fingerd should pass _all_ data transparently.  Strictly that
can be interpreted as a violation of RFC 1288 2.2 which says any bytes
with values between "128 and 255" _should_ "truly be international
data", but it's also clear the author of that paragraph didn't really
understand what he was saying, never mind what the true extent of the
issue is.  Well byte values between 0 and 255 truly are international
data.  Zimmerman clearly has (or at least had) a very byte-wide-only
view of character encoding.  RFCs describing network protocols should
leave the full description of the data formats they are transporting to
those who specialize in such matters (eg. ISO).  :-)

> finger, of course, can be as paranoid as is called for.  But fingerd
> has to interoperate with clients of unknown provenance, and all it can
> really count on is ASCII printables, plus CRLF for line breaks.

Yes, only the finger client can know what's safe to pass to the terminal
(and even then it has to rely on the user and/or administrator to have
correctly configured its environment to match the actual hardware or
emulator being used to display the data to the user.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>