ietf-nntp Question about AUTHINFO

Jeffrey M. Vinocur jeff at litech.org
Fri Feb 7 16:20:51 PST 2003


On Fri, 7 Feb 2003, Russ Allbery wrote:

> Joao Prado Maia <jpm at papercut.org> writes:
> 
> > Right, but what should be the proper way, then ? And more than that,
> > should we put this in the actual RFC/new draft so it gets properly
> > documented ?
> 
> Jeff's draft does standardize AUTHINFO as well as address how to move to
> SASL going forward, so that's where this can be resolved.

And a fun question it is, too.  (Details below because the original poster 
sounded interested.)

The longterm solution is that SASL handles all of the character set issues
for us (even newlines, if you manage to make a username or password
containing a newline).


> > But anyway, this was something an user brough up with me saying that
> > a few of his clients couldn't connect because of the space in their
> > usernames.

It more commonly manifests as a problem with passwords, and it's one which 
is remarkable difficult to diagnose.  You're right that the behavior of 
silently ignoring the part after the whitespace is wrong, though.

(INN does this for purely internal historico-technical reasons; a better
solution would be to return an error message explicitly noting whitespace
in the password.  Or more precisely, it should return an error message
indicating that too many arguments were supplied...Russ, should we add
this before 2.4?)


> The only reason why this is potentially problematic is that a lot of
> servers make use of the fact that one can generally tokenize all NNTP
> commands by splitting on spaces, and allowing for spaces in the username
> in AUTHINFO breaks this.

Last time this came up, somebody pointed out that the NNTP draft says
"Keywords and arguments MUST be each separated by one or more US-ASCII
SPACE or US-ASCII TAB characters" which can certainly be read to support 
the view you describe above.

Also, there's the issue of trailing whitespace and newline formats; while
ignoring all trailing whitespace would probably work beautifully (I mean, 
I know people with spaces in their usernames and passwords, but never at 
the end), it's rather ugly.


> (It also breaks AUTHINFO SIMPLE, but I doubt anyone really cares there.)

I hope not.  RFC 2980 says "It is recommended that this command not be
implemented" -- I plan to add some sort of similar note, although I 
haven't figured out what.


-- 
Jeffrey M. Vinocur
jeff at litech.org




More information about the ietf-nntp mailing list