ietf-nntp Re: NNTP-Posting-Host
Chris Lewis
clewis at nortel.ca
Tue Apr 15 08:15:09 PDT 1997
In article <199704142217.PAA15763 at girl.campus.mci.net>,
Kenneth Herron <kherron at campus.mci.net> wrote:
>> NNTP-Posting-Host: <name1> <name2> ...
>>
>>Where nameN can be the IP address or FQDN representing the name of the system
>>connecting to do the POST. It is anticipated that all servers posting via
>>NNTP would at least supply the IP address, and preferably the DNS reverse
>>lookup of the connection.
>
>Two thoughts, neither of them critical:
>
>1) I once saw something from Wietse Venema, the Satan/Tcp Wrappers
> guy, noting that hostnames of the form "1.2.3.4.do.main" are
> legal, and match wildmat (etc.) patterns of the form
> "1.2.3.*". He noted this as a security issue for INN's nntp
> and nnrp access-control files, but I could see this as a
> potential security issue for anything which looks at
> NNTP-Posting-Host, esp. code written by naive authors.
> Specifying that IP addresses be in the form "[1.2.3.4]" would
> make this a non-issue.
Two things:
a I'd rather not make existing implementations non-compliant
("Best _Current_ Practises", remember? ;-)]
b They can be disambiguated with relatively simple means, both
automated and manual, so I don't see that this is necessary.
>2) Just to save header creep, how about allowing user at host.name or
> user@[ip] as an alternative to NNTP-Posting-User?
This is a thought.
--
"I can't stand this proliferation of paperwork. It's useless to fight
the forms. You've got to kill the people producing them."
-- Vladimir Kabaidze, 64, General Director of Ivanovo Machine Building Works
More information about the ietf-nntp
mailing list