Manuel Wolfshant
2022-Mar-20 22:28 UTC
[Nut-upsuser] ISE review of I-D: deprecate command VER?
On 3/21/22 00:11, Greg Troxel wrote:> Roger Price<roger at rogerprice.org> writes: > >> I received the following comment from the Independent Submissions Editor (ISE): >> >> The command VER is hazardous because it encourages exploiting of >> implementation peculiarities that are not well documented in a >> protocol.? The best example of such a failure is the browser version >> field in HTTP.? A complete disaster.? You should warn against use of >> this command, or even better, deprecate it. >> >> I was not aware of the disaster in the browser version field, but I >> will warn against use of VER, and deprecate it, if you agree. > I am quite aware of it, but I haven't seen it called out like this. The > basic issue is that we now have a culture of web servers serving N > different versions of pages based on the User-Agent field, instead of > coding to standards and expecting clients to meet standards. "Disaster" > might be a slightly strong word, but it isn't at all confused. > > So a good question is whether it's necessary. Perhaps it's just a > management plane concept, but for SMTP the two sides don't specify > their software or protocol versions.At times I like to play devil's advocate: Connected to outlook-com.olc.protection.outlook.com.. Escape character is '^]'. 220 VE1EUR03FT022.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Sun, 20 Mar 2022 22:20:44 +0000 |_ssl-date: 2022-03-20T22:22:21+00:00; 0s from scanner time. Service Info: Host: AM5EUR02FT049.mail.protection.outlook.com; OS: Windows; CPE: cpe:/o:microsoft:windows I am too lazy to check but I am willing to bet a beer that somewhere over there there is an Exchange server> > In general, a fair question is "What if we deleted this? If we wouldn't > have trouble, why are we keeping it?"Connected to dell30-5x. Escape character is '^]'. ver Network UPS Tools upsd 2.7.4 - http://www.networkupstools.org/ quit I for one do not see much trouble in advertising the version of nut and its website. But I am also the person who used lighttpd for 15 years and made it advertise itself as MS IIS and exim advertised as MS Exchange, just for the fun of seeing failed exploits in the logs -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://alioth-lists.debian.net/pipermail/nut-upsuser/attachments/20220321/ba0b35d7/attachment-0001.htm>
Manuel Wolfshant <wolfy at nobugconsulting.ro> writes:> Connected to outlook-com.olc.protection.outlook.com.. > Escape character is '^]'. > 220 VE1EUR03FT022.mail.protection.outlook.com Microsoft ESMTP MAIL > Service ready at Sun, 20 Mar 2022 22:20:44 +0000 > > |_ssl-date: 2022-03-20T22:22:21+00:00; 0s from scanner time. > Service Info: Host: AM5EUR02FT049.mail.protection.outlook.com; OS: > Windows; CPE: cpe:/o:microsoft:windows > > I am too lazy to check but I am willing to bet a beer that somewhere > over there there is an Exchange serverSure; these things leak. The real horror of the web is that clients send version and the server modifies behavior based on it.>> In general, a fair question is "What if we deleted this? If we wouldn't >> have trouble, why are we keeping it?" > Connected to dell30-5x. > > Escape character is '^]'. > ver > Network UPS Tools upsd 2.7.4 - http://www.networkupstools.org/ > quit > > I for one do not see much trouble in advertising the version of nut > and its website. But I am also the person who used lighttpd for 15 > years and made it advertise itself as MS IIS and exim advertised as MS > Exchange, just for the fun of seeing failed exploits in the logsSo how about saying that ver is optional, in that it can return some NULL type of string (empty line). clients may log ver or show to humans for debuging, but they MUST NOT change behavior based on it. The point of a protocol is to speak the defined protocol, and if there is really one protocol per but version, things are off the rails. (I'm not saying there is a problem, just that there's a line nobody should cross and I completely understand where the reviewer is coming from.) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 194 bytes Desc: not available URL: <http://alioth-lists.debian.net/pipermail/nut-upsuser/attachments/20220320/5cbc9bdb/attachment.sig>