[gopher] Re: [Bug 71916] security problem with gopher and arbitary ports
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
> I think you may have missed some of the sarcasm and rhetorical questions in
> my message, so I'll just omit replies to those...
I was agreeing with you, with more rhetorical banter. (-:
> > The point was Gopher URLs and (ab)using the Gopher protocol can be used
> > to simulate virtually any protocol, including SMTP (read down a little
> > further on the comments, there's an example with SMTP).
>
> It's pretty trivial to do that with IMAP too, since "GET " forms the
> beginning of any IMAP command.
That's my point, but this is all done with a Gopher URL:
gopher://imap.server.tld/LOGIN%20user%password%0A%0D...
The argument for this bug, however, is that the following could be used:
gopher://imap.server.tld/...buffer overflow attack...
From the wrong point of view, the problem is this could be used with any
protocol against any susceptable server, using a Gopher URL, hence Moz
must protect the world from themselves.
The bug was ``fixed'' in such a way because the developers felt it was
somehow impairing Mozilla users, or some such nonsense (and I emphasize
nonsense). I was simply pointing out the argument of the bug ``fix''.
--
Aaron J. Angel <aangel@xxxxxxxxxxxxx>
|
|
