draft-ietf-nntpext-base-03.txt some comments
Chris Lewis
Chris.Lewis.clewis at nt.com
Thu Jan 22 10:26:04 PST 1998
Paul Overell wrote:
>
> >9.1.2 AUTHINFO GENERIC
> > AUTHINFO GENERIC authenticator arguments...
> >
> > AUTHINFO GENERIC is used to identify a specific entity to the
> > server using arbitrary authentication or identification
> > protocols. The desired protocol is indicated by the
> > authenticator parameter, and any number of parameters can be
> > passed to the authenticator.
> >
> > When authorization is required, the server will send a 450
> > response requesting authorization from the client.
> >
> > The client should enter AUTHINFO GENERIC followed by the
> > authenticator name and the arguments if any. The
> > authenticator and arguments must not contain the sequence
> > "..".
>
> What is the reason for this, rather odd, restriction?
UNIX implementations thereof use the "authenticator" parameter as a file name of
the
authenticator to use.
A ".." would permit an attack on the server by "climbing back up" the directory
tree. This probably also applies to Windows/DOS etc.
Certainly, a server could be implemented to use these to match a configuration
file
of allowed authenticators.
I really don't care too much about dropping this requirement, other than the
implications for existing implementations.
More information about the ietf-nntp
mailing list