ietf-nntp BCP for RFC977 server/RFC1036 interaction

Rich Salz rsalz at osf.org
Tue Apr 8 07:59:23 PDT 1997


>Given that creating the NNTP-Posting-User header may involve inserting
>information from an external and potentially malicious source

Don't do that.

I mean this in a more than flip manner.  If the server is attempting to
identify who the client is, and report that information, then it must
have a way of being able to trust the information that it puts out there.
This *might* mean, for example, an admin-maintained list of ipaddr's
where identd can be trusted (e.g., general timesharing machines).

If you're just gonna randomly connect somewhere and take whatever spews out,
then why not just let the bloody client put whatever value they want?
	/r$



More information about the ietf-nntp mailing list