Roasting old chestnuts

Robert de Bath list-vnc-list@mayday.cix.co.uk
Sun Jul 6 16:21:01 2003


On Sun, 6 Jul 2003, William Hooper wrote:

> Robert de Bath said:
> > Please don't run away, I do seem to have a new slant on this can of wormy
> > chestnuts.
> >
> > The label on the can is "file transfers".
> [snip]
> > Just use the http server on port 5800+
>
> So you prepose to take the small, generally secure (only one issue that I
> remember off the top of my head), single purpose HTTP server and transform
> it into a full-fledged HTTP server, with all the security and complexity
> issues involved with that?  Seems like a waste.  If you are forwarding
> another port anyway, why not just setup a program that is designed to be
> an HTTP server, or SSH, or any other number of file transfer programs.

Firstly, the things that cause security problems with 'full-fledged HTTP
server's are rarely the file transfer. The problems are the scripting
languages, CGI programs, and the 101 other additions that appear in a
"real" http server above the copy a file down the wire coding that
this is.

The only probable 'security issue' is the very fact that you're uploading
files; that's why I'm suggesting a specific directory for files to arrive
in and the authentication requirement.

As for the 'complexity issue', I don't see it, the http server already
has to accept a potentially infinte input and send a response. The only
difference is that instead of thowing away a large input you store it
in a file, if authenticated.

Secondly, using other tools. Yes that's what I tend to do now.  But it
increases complexity, not only for the installation but also for day
to day use.

Plus it's not the point; file transfer is one of the most requested
features for VNC. I'm just trying to suggest a way it could be done
without bast^H^H^H^Hmangling the RFB protocol.

PS: Don't worry I will get bored an go away soon. :)

-- 
Rob.                          (Robert de Bath <robert$ @ debath.co.uk>)
                                       <http://www.cix.co.uk/~mayday>
Google Homepage:   http://www.google.com/search?btnI&q=Robert+de+Bath