[ietf-nntp] AUTHINFO draft 01

Jeffrey M. Vinocur jeff at litech.org
Sun Jul 11 06:19:51 PDT 2004 

On Sat, 3 Jul 2004, Russ Allbery wrote:

> Clive D W Feather <clive at demon.net> writes:
> 
> > 2.1.2 last para: if you change the syntax to
> >     AUTHINFO USER username...
> >     AUTHINFO PASS password...
> 
> > then the white-space problem mostly goes away, because:
> 
> >     AUTHINFO USER fred flintstone
> >     AUTHINFO PASS very secret
> 
> > becomes legal.
> 
> The only worry here is that many servers split on whitespace before doing
> anything else, and then wouldn't be able to distinguish between:
> 
>     AUTHINFO USER fred flintstone
>     AUTHINFO USER fred  flintstone
> 
> That being said, I have no objections to making the above change; I still
> wouldn't encourage people to use whitespace, though, given that it isn't
> always going to work unless the server handles AUTHINFO specially.

(Hi everybody -- sorry for being silent of late, I was out of the country 
and then catching up on all sorts of backlog.  I'll try to catch the 
important bits of this discussion.)

Anyway, I actually implemented something like the above proposal for 
INN at one point, because it seemed like the sanest "be liberal in what 
you accept" approach when AUTHINFO was only documented by 2980.  And it 
turns out to have the corner cases above with sequential whitespace, as 
well as issues as to what kinds of whitespace are permitted (tabs? CR? 
LF?), and whether leading or trailing whitespace is significant (some 
clients may have been sending extraneous whitespace for years and to 
change the meaning of that whitespace now might be a mess).

And it also turns out to be a mess to implement, because unless you want
to special-case your parser, you have to take the pre-split argument array
and append it back together into something that might look like the
original password.

I don't believe we ever committed the patch for all of those reasons.

Point being, this is no trivial issue.  And given that we're here trying 
simply to document existing implementations, and additionally given that 
many AUTHINFO implementations will never be updated to comply with this 
document anyway, I tend to think that trying to make these changes is 
unrealistic and probably worse than leaving it as is.

Honestly, the biggest problem with the whitespace issue in practice is
that it doesn't result in a good error message with most clients/servers.  
If the only change we ask is for additional awareness and alerting the
user to this issue, I think we'll have made the great majority of the 
improvement possible, and worrying about the last incremental benefit when 
we're already providing a new solution that takes care of all of 
this...just doesn't seem worthwhile to me.


-- 
Jeffrey M. Vinocur
jeff at litech.org

More information about the ietf-nntp mailing list