[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[gopher] Re: [Bug 71916] security problem with gopher and arbitary ports

> I think you may have missed some of the sarcasm and rhetorical questions in
> my message, so I'll just omit replies to those...

I was agreeing with you, with more rhetorical banter.  (-:

> > The point was Gopher URLs and (ab)using the Gopher protocol can be used
> > to simulate virtually any protocol, including SMTP (read down a little
> > further on the comments, there's an example with SMTP).
> 
> It's pretty trivial to do that with IMAP too, since "GET " forms the
> beginning of any IMAP command.

That's my point, but this is all done with a Gopher URL:

	gopher://imap.server.tld/LOGIN%20user%password%0A%0D...

The argument for this bug, however, is that the following could be used:

	gopher://imap.server.tld/...buffer overflow attack...

>From the wrong point of view, the problem is this could be used with any
protocol against any susceptable server, using a Gopher URL, hence Moz
must protect the world from themselves.

The bug was ``fixed'' in such a way because the developers felt it was
somehow impairing Mozilla users, or some such nonsense (and I emphasize
nonsense).  I was simply pointing out the argument of the bug ``fix''.

-- 
Aaron J. Angel <aangel@myrealbox.com>
Reply to: