ietf-nntp Re: NNTP-Posting-Host
Kenneth Herron
kherron at campus.mci.net
Mon Apr 14 15:17:45 PDT 1997
> NNTP-Posting-Host: <name1> <name2> ...
>
>Where nameN can be the IP address or FQDN representing the name of the system
>connecting to do the POST. It is anticipated that all servers posting via
>NNTP would at least supply the IP address, and preferably the DNS reverse
>lookup of the connection.
Two thoughts, neither of them critical:
1) I once saw something from Wietse Venema, the Satan/Tcp Wrappers
guy, noting that hostnames of the form "1.2.3.4.do.main" are
legal, and match wildmat (etc.) patterns of the form
"1.2.3.*". He noted this as a security issue for INN's nntp
and nnrp access-control files, but I could see this as a
potential security issue for anything which looks at
NNTP-Posting-Host, esp. code written by naive authors.
Specifying that IP addresses be in the form "[1.2.3.4]" would
make this a non-issue.
2) Just to save header creep, how about allowing user at host.name or
user@[ip] as an alternative to NNTP-Posting-User?
More information about the ietf-nntp
mailing list