From: Russ Allbery (rra@stanford.edu)
Date: Wed Jun 30 2004 - 02:23:32 CDT
Frank Ellermann <nobody@xyzzy.claranet.de> writes:
> Russ Allbery wrote:
>> Nope, doesn't help. "Subject: cmsg" isn't interpreted only
>> by the server to which the message is posted, but at every
>> single news server that receives the article down the line
> Oops, that's something I haven't seen "in the real world" so
> far (minus groups.google oddities). Of course it was _meant_
> this way (before RfC 1036), and today's news servers still try
> to protect their older colleagues (or they even add a missing
> "Control: cancel" to an _injected_ "Subject: cmsg cancel"), but
> that's all about injection and not relaying.
> You say that there are still some _existing_ pre-1036 servers ?
> That's incompatible with Bruce's statement, that cmsg is dead.
Accepting and acting on Subject: cmsg is actually required by RFC 1036 for
backward compatibility, so this isn't pre-1036 behavior. Not doing this
is breaking compatibility with RFC 1036, so while we decided to do that in
INN a while back, I would expect that most news software still follows RFC
1036 in this regard and will continue to do so at least until some time
after we release a standard that changes this.
RFC 1036 says:
Also for upward compatibility, if the first 4 characters of the
"Subject:" line are "cmsg", the rest of the "Subject:" line should
be interpreted as a control message.
>> the mail to news gateway has to proactively deal with this
>> issue or risk odd things happening in various parts of the
>> net.
> Today, that's still _necessary_ today ? Not only a convention
> trying to protect something which was already obsolete 1987 ?
Right.
Many gateways don't bother because the issue is rare, but if they aren't
careful, there is a potential security hole here (one could use the mail
to news gateway to inject cancel messages that took effect at sites that
supported Subject: cmsg, for example).
-- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>