It is probably against a RFC to accept these messages, but I'm not
concerned about the User-Agent header. I went looking for a way to relax
the check, but is strict for all headers in innd/art.c:
/* Find first colon */
if ((colon = memchr(header, ':', size)) == NULL || !ISWHITE(colon[1])) {
if ((p = memchr(header, '\r', size)) != NULL)
*p = '\0';
snprintf(cp->Error, sizeof(cp->Error),
"%d No colon-space in \"%s\" header field",
ihave ? NNTP_FAIL_IHAVE_REJECT : NNTP_FAIL_TAKETHIS_REJECT,
MaxLength(header, header));
if (p != NULL)
*p = '\r';
return;
}
I know there are potential implications for accepting messages with
empty headers, but do we need to treat all headers so strictly?
Jesse Rehmer <jesse.rehmer@blueworldhosting.com> writes:
It is probably against a RFC to accept these messages, but I'm not concerned about the User-Agent header. I went looking for a way to
relax the check, but is strict for all headers in innd/art.c:
/* Find first colon */
if ((colon = memchr(header, ':', size)) == NULL ||
!ISWHITE(colon[1])) { if ((p = memchr(header, '\r', size)) != NULL)
*p = '\0';
snprintf(cp->Error, sizeof(cp->Error),
"%d No colon-space in \"%s\" header field",
ihave ? NNTP_FAIL_IHAVE_REJECT : NNTP_FAIL_TAKETHIS_REJECT, MaxLength(header, header));
if (p != NULL)
*p = '\r';
return;
}
I know there are potential implications for accepting messages with
empty headers, but do we need to treat all headers so strictly?
We do need to be pretty strict, since otherwise you can get into
really nasty situations with ambiguous parses where two servers may
disagree about something fundamental like the message ID of the
article.
I think if someone wanted to send a patch that added the ability to
accept articles with headers that (a) weren't part of the protocol
(so not Message-ID, Path, etc.), (b) specifically ended in a colon
and a newline and no other variation, and (c) did not have a
continuation, and it was configurable with the syntaxchecks setting
and was off by default, that would be worth considering. I wouldn't
want to relax the checks any farther than that. (It may be a bit
difficult to wedge that into innd's code, though, since the above
error happens at a fairly low level of the parse.)
On Wed, 01 Feb 2023 08:00:45 -0800
Russ Allbery <eagle@eyrie.org> wrote:
Jesse Rehmer <jesse.rehmer@blueworldhosting.com> writes:
It is probably against a RFC to accept these messages, but I'm not
concerned about the User-Agent header. I went looking for a way to
relax the check, but is strict for all headers in innd/art.c:
/* Find first colon */
if ((colon = memchr(header, ':', size)) == NULL ||
!ISWHITE(colon[1])) { if ((p = memchr(header, '\r', size)) != NULL)
*p = '\0';
snprintf(cp->Error, sizeof(cp->Error),
"%d No colon-space in \"%s\" header field",
ihave ? NNTP_FAIL_IHAVE_REJECT :
NNTP_FAIL_TAKETHIS_REJECT, MaxLength(header, header));
if (p != NULL)
*p = '\r';
return;
}
I know there are potential implications for accepting messages with
empty headers, but do we need to treat all headers so strictly?
We do need to be pretty strict, since otherwise you can get into
really nasty situations with ambiguous parses where two servers may
disagree about something fundamental like the message ID of the
article.
I think if someone wanted to send a patch that added the ability to
accept articles with headers that (a) weren't part of the protocol
(so not Message-ID, Path, etc.), (b) specifically ended in a colon
and a newline and no other variation, and (c) did not have a
continuation, and it was configurable with the syntaxchecks setting
and was off by default, that would be worth considering. I wouldn't
want to relax the checks any farther than that. (It may be a bit
difficult to wedge that into innd's code, though, since the above
error happens at a fairly low level of the parse.)
I wouldn't be happy about relaxing the checks or having a server feed
in that does. They're there for a reason. Most legitimate users are
going to follow the RFC. Spammers and script kiddies are less likely to adhere to the requirements, which is where we get them.
The proper course of action is to identify if the messages are
legitimate and then refer the poster to their software's author to
correct the issue.
Once you start making exceptions for one, then you're going to be
making exceptions for others and, as you say, this could lead to a
nasty mess. Let's please not fix innd which isn't broken to fix a
client that is.
I've been on auto-pilot for a bit, but started checking logs/reports today and
notice an increasing number of articles rejected due to the following:
439 No colon-space in "User-Agent:" header field
When reviewing headers of the those messages there is a User-Agent: header, but its blank and does not contain a space.
It is probably against a RFC to accept these messages
but I'm not concerned
about the User-Agent header. I went looking for a way to relax the check, but is strict for all headers in innd/art.c:
/* Find first colon */
if ((colon = memchr(header, ':', size)) == NULL || !ISWHITE(colon[1])) {
if ((p = memchr(header, '\r', size)) != NULL)
*p = '\0';
snprintf(cp->Error, sizeof(cp->Error),
"%d No colon-space in \"%s\" header field",
ihave ? NNTP_FAIL_IHAVE_REJECT : NNTP_FAIL_TAKETHIS_REJECT,
MaxLength(header, header));
if (p != NULL)
*p = '\r';
return;
}
Hi Jesse,
If you're looking for a quick-and-dirty hack for that very header field,
I think the following check would do the trick (not tested):
@@ -644,10 +644,12 @@ ARTcheckheader(CHANNEL *cp, int size)
if ((colon = memchr(header, ':', size)) == NULL ||
!ISWHITE(colon[1])) {
if ((p = memchr(header, '\r', size)) != NULL)
*p = '\0';
+ if (strcasecmp(header, "User-Agent:") != 0 || colon[1] != '\0') {
snprintf(cp->Error, sizeof(cp->Error),
"%d No colon-space in \"%s\" header field",
ihave ? NNTP_FAIL_IHAVE_REJECT : NNTP_FAIL_TAKETHIS_REJECT,
MaxLength(header, header));
+ }
if (p != NULL)
*p = '\r';
return;
I wouldn't be happy about relaxing the checks or having a server feed
in that does. They're there for a reason. Most legitimate users are
going to follow the RFC. Spammers and script kiddies are less likely
to adhere to the requirements, which is where we get them.
The proper course of action is to identify if the messages are
legitimate and then refer the poster to their software's author to
correct the issue.
Once you start making exceptions for one, then you're going to be
making exceptions for others and, as you say, this could lead to a
nasty mess. Let's please not fix innd which isn't broken to fix a
client that is.
We do need to be pretty strict, since otherwise you can get into really
nasty situations with ambiguous parses where two servers may disagree
about something fundamental like the message ID of the article.
I think if someone wanted to send a patch that added the ability to
accept articles with headers that (a) weren't part of the protocol
(so not Message-ID, Path, etc.), (b) specifically ended in a colon and
a newline and no other variation, and (c) did not have a continuation,
and it was configurable with the syntaxchecks setting and was off by
default, that would be worth considering.
I wouldn't want to relax the checks any farther than that. (It may
be a bit difficult to wedge that into innd's code, though, since the
above error happens at a fairly low level of the parse.)
I've been on auto-pilot for a bit, but started checking logs/reports today and
notice an increasing number of articles rejected due to the following:
439 No colon-space in "User-Agent:" header field
When reviewing headers of the those messages there is a User-Agent: header, but its blank and does not contain a space.
It is probably against a RFC to accept these messages,
Jesse Rehmer <jesse.rehmer@blueworldhosting.com> wrote:
I've been on auto-pilot for a bit, but started checking logs/reports today and
notice an increasing number of articles rejected due to the following:
439 No colon-space in "User-Agent:" header field
When reviewing headers of the those messages there is a User-Agent: header, >> but its blank and does not contain a space.
It is probably against a RFC to accept these messages,
The colon is merely a separator between field name and field value. The
space afterward is only for human readability and is not mandated by the RFCs. The whitespace following a colon is part of the field value and is typically trimmed out.
Check the RFCs; people assume the space following a colon is mandatory, but it's not.
Ah, nicely done. I'd only looked at RFC 5322. Didn't know the NNTP one differed.
On 2023-02-07, D Finnigan <dog_cow@macgui.com> wrote:
Jesse Rehmer <jesse.rehmer@blueworldhosting.com> wrote:
I've been on auto-pilot for a bit, but started checking logs/reports today and
notice an increasing number of articles rejected due to the following:
439 No colon-space in "User-Agent:" header field
When reviewing headers of the those messages there is a User-Agent: header, >>> but its blank and does not contain a space.
It is probably against a RFC to accept these messages,
The colon is merely a separator between field name and field value. The
space afterward is only for human readability and is not mandated by the
RFCs. The whitespace following a colon is part of the field value and is
typically trimmed out.
Check the RFCs; people assume the space following a colon is mandatory, but >> it's not.
I think you should check the RFCs before telling people off for not
doing so. Here is what the current RFC, RFC 5536, says (sec. 2.2):
[...]They are legimately posted articles in my eyes, but maybe not
others.
After examining a larger sampling of these articles, they
appear to be noise and I'm not concerned about dropping them.
I will keep this code stashed away though, it may come in handy in the future as lazy developers write more client software that isn't compliant.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (3 / 13) |
Uptime: | 74:09:25 |
Calls: | 6,715 |
Calls today: | 3 |
Files: | 12,246 |
Messages: | 5,357,271 |