[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev lynx 2.8.x - 'special URLs' anti-spoofing protection is
From: |
Leonid Pauzner |
Subject: |
Re: lynx-dev lynx 2.8.x - 'special URLs' anti-spoofing protection is weak |
Date: |
Mon, 22 Nov 1999 19:32:46 +0300 (MSK) |
22-Nov-99 08:46 Klaus Weide wrote:
> Have a look at this...
> <http://www.securityfocus.com/vdb/bottom.html?section=credit&vid=804>
! !^^^^^^^^
BTW, mail->html converter hosted at @sig.net will not convert such URL
properly: anchor address/text are between ! and ! but the rest path
happen to be outside of <a>...</a>, see source below:
<!-- X-URL: http://www.flora.org/lynx-dev/html/month1199/msg00544.html -->
Have a look at this...
<<A
HREF="http://www.securityfocus.com/vdb/bottom.html?section=credit">http://www.securityfocus.com/vdb/bottom.html?section=credit</A>&vid=804>
> That guy likes finding problems in lynx and not telling lynx-dev a word
> about it.
He was afraid posting to lynx-dev not being subscribed to the list.
Should we correct the text to avoid such [mis]understanding?
> Anyway, another reason for mistrusting the Farms Based Options.
Well, seems we need LYNXOPTIONS: page done without temp files but via
HTStreamStack(). Would this solve all the security issues in this area?
If yes - I could provide a patch (LYNXMESSAGES: was the recent example).
BTW, recently implemented tree-view at VisitedLinks page have an options
subpage _without_ any hidden security field and seems submitted OK.
Is it correct or am I misunderstand something (no code handy)?
> Old-style options do not have an 'anti-spoofing' problem.
yes.
> Klaus