Re: lynx-dev internal links

[Doug Kaufman]

On Sat, 5 Sep 1998, Nelson Henry Eric wrote:

> "I assume" that means that the majority opinion is that Lynx should be
> released in the state that any idiot prankster can do what they jolly
> well please.  Well, even if I am just one, I will voice my opinion one
> final time that I think Lynx should nip such tricks in the bud.  Adds,
> what?, 7-8 lines max to the code.

I don't know exactly what the code would look like to fix this problem.
If I understood the problem, it is that headers can be spoofed if
desired. I must admit that I am of two minds on this. For those running
lynx for captive accounts, I believe that it is reasonable to limit
this, both to decrease load on the machine and to protect the reputation
of the site (so as to avoid becoming known as a spam-generating site).
On the other hand, unless sendmail is configured to verify validity of
headers, anyone with a shell account can send mail with misleading
headers (just look at the volume of spam with inaccurate headers). One
of the more common mail clients, pine, is certainly set up to use bcc:,
an easy way to set up a small mailing list. Anyone with a shell account
could reverse any changes that we make and recompile a lynx version
without these limits. Nonetheless, lynx is not designed primarily as a
mail client, and anyone needing bcc: could send mail through one of the
usual clients.

Hence, I think I support Henry in removing the ability to spoof mail
headers (and any similar security holes in the program), perhaps with
the ability to enable this a configure-time option.
                             Doug
__
Doug Kaufman
Internet: address@hidden (preferred)
          address@hidden