lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev lynx 2.8.x - 'special URLs' anti-spoofing protection is


From: Klaus Weide
Subject: Re: lynx-dev lynx 2.8.x - 'special URLs' anti-spoofing protection is weak
Date: Mon, 22 Nov 1999 11:30:48 -0600 (CST)

On Mon, 22 Nov 1999, Leonid Pauzner wrote:

> 22-Nov-99 08:46 Klaus Weide wrote:
> > Have a look at this...
> 
> >  <http://www.securityfocus.com/vdb/bottom.html?section=credit&vid=804>
>     !                                                         !^^^^^^^^
> BTW, mail->html converter hosted at @sig.net will not convert such URL
> properly: anchor address/text are between ! and ! but the rest path
> happen to be outside of <a>...</a>, see source below:

I can't do much better than enclosing everything in '<' '>'...

> > That guy likes finding problems in lynx and not telling lynx-dev a word
> > about it.
> He was afraid posting to lynx-dev not being subscribed to the list.
> Should we correct the text to avoid such [mis]understanding?

I don't know which text would cause such [mis]understandings.

> Well, seems we need LYNXOPTIONS: page done without temp files but via
> HTStreamStack(). Would this solve all the security issues in this area?
> If yes - I could provide a patch (LYNXMESSAGES: was the recent example).

Might be nice - but I don't see that it is necessary for this purpose.

Certainly it's no big difficulty for lynx to "know" that "this file: URL
here represents the Options Page", and to not "forget" this until it
comes to submission.  Just allow LYNXOPTIONS:(with-post-data?) only
if it comes from the page with that special address.  This is nothing
new, other special pages already heave checks like this.  The "new" thing
was LYNXOPTIONS trying something fancy with "secure".


    Klaus


reply via email to

[Prev in Thread] Current Thread [Next in Thread]