Erik Auerswald <[email protected]> writes: > the method seems to be plausible, because a Telnet client can send any > environment variable to a Telnet server, and GNU Inetutils' Telnet > server does not restrict this.
Indeed. Is there any cross-telnet adopted way to resolve this?
Comparing to the SSH world, then OpenSSH has this:
AcceptEnv
Specifies what environment variables sent by the client will be
copied into the session's environ(7). See SendEnv and SetEnv in
ssh_config(5) for how to configure the client. The TERM environ‐
ment variable is always accepted whenever the client requests a
pseudo-terminal as it is required by the protocol. Variables are
specified by name, which may contain the wildcard characters ‘*’
and ‘?’. Multiple environment variables may be separated by
whitespace or spread across multiple AcceptEnv directives. Be
warned that some environment variables could be used to bypass
restricted user environments. For this reason, care should be
taken in the use of this directive. The default is not to accept
any environment variables.
Is there any reason we shouldn't adopt something similar? Especially
the last sentence. Allowing clients to set environment variables seems
like a never ending source of concerns.
/Simon
signature.asc
Description: PGP signature
