On 2026-03-17 09:40, Simon Josefsson wrote:
Collin Funk <[email protected]> writes:
The lack of sanitization is fine. It is only a problem when combined
with the incorrect behavior of that link being followed.
I agree.
While it works to preserve the original suboption data, my suggestion
is to use the hexadecimal representation of all bytes received, without
raw form displayed, even for byte values considered to be printable.
That would prevent the possibility of debug log line forgery and
terminal answerback attacks ever occuring.
I submitted a pull request to address that [1].
[1] https://codeberg.org/inetutils/inetutils/pulls/20
I'm not completely opposed to solving it like this, but it feels like a
hack.
Why are we opening a hard-coded path file like this in the first place?
Couldn't we use syslog for logging here? That's what ftpd --debug
uses.
Did anyone review other telnetd implementations? NetKit, BSD, Solaris,
etc. Is --debug widely and consistently implemented?
The solaris implementation of telnetd doesn't have a debug mode, and
OpenBSD hasn't shipped a telnetd in years.
NetKit's telnetd, and the native FreeBSD & NetBSD telnetd implementation
don't log debug output to a file. When those daemons are executed with
the -D command line option, diagnostic information is sent to the client
instead.
FreeBSD doesn't include telnetd in the base installation any more, so
it has to be acquired (as freebsd-telnetd) through the ports collection.
Regards,
Justin
