To respond to recent comments in bug 71916 asking for that fix to be backed out:
RFC 1436 has "Informational" status; it is not a standards track document. None of the sentences quoted in comment 19 state a requirement that a gopher client be able to connect to any port other than 70. The document does state in the Introduction that "Gopher servers should listen on port 70," servers listening on other ports are violating that directive of the document. As for HTTP GET, there is no way I know of for an attacker to get an HTTP client to insert a newline before attacker-supplied text. Newlines in URLS are encoded as %0a over the HTTP protocol. If there is such a way, that should be reported through the relevant client's security bug reporting procedure. A dialog box with a "don't show me again" checkbox would not be appropriate. There is no way we could adequately describe the risk to the user. It would be analogous to showing such a dialog box whenever the server requests to execute arbitrary code on the client. A policy of permitting gopher on non-standard ports only from non-HTTP (or only from gopher servers) would be ineffective, as an attacker could circumvent same by referring the victim to a hostle port 70 gopher server which then hands out attack URLS. The URL gopher://www:80/0GET%20/%20HTTP/1.0%0D%0A is an attack, not a feature. That URL is requesting to bypass any HTTP policies implemented either in the client or its HTTP proxy.
