Rich Graves wrote:
Now I suppose they'll want me to fix all the pages where I do a finger with a gopher://host:79/0user Any chance this nonfix can be unfixed?
This nonfix was applied to the UNIX and Win32 versions; I haven't checked the other platforms.
It may be unpleasant, but it's a fact that there was a real security hole here. There is a well known buffer overrun bug in finger that a lot of people inside firewalls haven't fixed. Using gopher: URLs in IMG tags it was possible to do nasty things. We tried to err on the side of permissivity, but finger was one port we just couldn't allow. Yes, it sucks. So does someone reaching through your firewall and running commands as root. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw@netscape.com