Re: LYNX-DEV lynx2-7-1

[Klaus Weide]

On Wed, 23 Jul 1997, Jon Schewe wrote:

> I've compiled lynx2-7-1 and found a rather annoying problem.  Whenever I try 
> to
> change the permissions on a file I get the form that has me set the 
> permissions
> that I want and then I hit submit and I get an alert that Action can't be done
> with this special URL.  The code that addresses this is around line 2261 of
> LYMainLoop.c.  The one in particular is the comparison to LYNXDIRED that it
> dies on.  Any help here would be appreciated.
> 
> I'd just comment out the section except that I'm figuring it's there for a
> reason.  Thanks.

It seems you are not using just "lynx2-7-1", but
lynx2-7-1+(recent)fotemods.  At least that's where I found the problem
"around line 2261".  It is also present in the
<http://sol.slcc.edu/lynx/current/> development code (at different line
numbers, of course), but not in plain Lynx 2.7.1.

I assume you are referring to this:

                        /*
                         *  Make sure this isn't a spoof attempt
                         *  via an internal URL. - FM
                         */
                        if (!strncasecomp(
                                    links[curdoc.link].form->submit_action,
                                          "LYNXCOOKIE:", 11) ||
                            !strncasecomp(
                                    links[curdoc.link].form->submit_action,
                                          "LYNXDIRED:", 10) ||
 
I think these checks were introduced as part of the 1997-06-26 changes
(see your FOTEMODS file, or CHANGES.new for the development code).
They are a bit overzealous, because they stop LYNXDIRED: from working
in the one situation which you have found where it is used as a FORM
ACTION.

If you just comment out the last three lines quited above, things
should work again.  (But I haven't tested that with the fotemods code,
only with the devel code.)  But that check may protect you from some
spoofing attempts.  Here is a more paranoid version, to replace those
last three lines:

                            (!strncasecomp(
                                    links[curdoc.link].form->submit_action,
                                          "LYNXDIRED:", 10)
#ifdef DIRED_SUPPORT
                             && (no_dired_support ||
                                 strcmp((curdoc.title ? curdoc.title : ""),
                                        PERMIT_OPTIONS_TITLE) ||
                                 strncmp(curdoc.address,
                                         "file://localhost", 16) ||
                                 strncasecomp(curdoc.address + 16,
                                              lynx_temp_space,
                                              strlen(lynx_temp_space)) ||
                                 is_url(curdoc.address) != FILE_URL_TYPE ||
                                 !LYisLocalFile(curdoc.address)
                                 )
#endif /* DIRED_SUPPORT */
                                ) ||

I know, that's overkill with some redundant tests...  on the other
hand, it's probably still not enough to protect against all possible
spoofing attempts, and is only for the Modify Permissions case.  If
you are really paranoid you probably shouldn't have dired support
enabled while browsing other people's webpages.  The DIRED code (which
includes the various actions one can do on local files) hasn't had the
same kind of scrutiny as for example recently the Download code -
AFAIK.

    Klaus



;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;