Test rig

Julien ÉLIE julien at trigofacile.com
Tue Jul 14 19:09:14 UTC 2015 

Hi Richard,

>>>> - Empty Followup-To: header with POST -> does the resulting
>>>> article <4Dd2+P3h5tnpEkLjnDr9qhGr at test.terraraq.uk> contain that
>>>> empty header? nnrpd normally removes it.
>> 
>> we have now to decide whether nnrpd has to reject the post or 
>> remove empty header fields.

For the archives of this thread, we finally preferred (after private
discussion) to keep that legacy feature.
A few news clients still rely on this behaviour, and put empty headers
(for instance Followup-To, Summary and Keywords) in the editor.  These
headers are then removed by nnrpd, and a few other server software.

A commit has been done to mention that in nnrpd's code.

--- post.c	2015-07-07 16:37:51 UTC (rev 9917)
+++ post.c	2015-07-11 18:54:50 UTC (rev 9918)
@@ -363,6 +363,10 @@
 	}
 	if (hp->Value) {
 	    hp->Len = TrimSpaces(hp->Value);
+            /* If the header is empty, we just remove it.  We do not reject
+             * the article, contrary to what an injecting agent is supposed
+             * to do per Section 3.5 of RFC 5537.  (A revision to RFC 5537
+             * may someday allow again that existing and useful feature.) */
 	    if (hp->Len == 0)
 		hp->Value = hp->Body = NULL;
 	}




>>>> - Malformed From: header with POST -> could you please tell what is the
>>>> malformed header you tried?  I think nnrpd should enforce a valid
>>>> syntax, so this one is a real bug.
>>
>> so you're right that "From: @example.com" should also be rejected.

nnrpd currently does a very very basic check of the From: header field.
It only makes sure that the header contains "@" and "." in that order.

We could of course do more checks.  Nonetheless, I believe strictly
enforcing the RFC 5322 grammar is too restrictive for nnrpd (and even
problematic for UTF-8 internationalized headers).

Maybe these three other checks could be added:
- at least one non-whitespace character before "@";
- at least one non-whitespace character between "@" and ".";
- at least one non-whitespace character after that ".".

No check that this address is outside a comment.


Do you believe other useful checks should be added?




>>>> IHAVE/CHECK/TAKETHIS is the right legacy behaviour.  Doing otherwise
>>>> would break backwards compatibility so it shouldn't be encouraged right
>>>> now.  Maybe in the future...
>
> That's fine, but I'm going to leave it as an 'expected failure' rather
> than success, since it does seem to be an RFC violation.

Do you happen to send CAPABILITIES at the beginning of each NNTP session
of your test rig?
innd could send the expected 501 code to clients that we are sure they
implement version 2 of NNTP (RFC 3977).  And we keep backwards compatibility
otherwise, with 43x response codes.
It could be a good move to do, couldn't it?

-- 
Julien ÉLIE

« O fortunatos nimium, sua si bona norint, agricolas. » (Virgile)

More information about the inn-workers mailing list