[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Ve

From: Thomas Dickey
Subject: Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability
Date: Fri, 28 Oct 2005 20:35:14 -0400 (EDT)

On Fri, 28 Oct 2005, Thomas Dickey wrote:

On Fri, 28 Oct 2005, Greg MacManus wrote:
I'm not sure what an appropriate fix would be, but potentially a warning
dialog to the user they are about to execute a local program might be
appropriate. Another change I could think of would be to default to
allow nothing to be executed, instead of default to allow all. If the
user wants to execute something, they must add it.

That's probably suitable for novice mode (the default), or intermediate. For advanced mode lynx shows the url in the status line, so a message would be redundant.

I put a patch against dev.14 which does this.  The src/LYCgi.c change is
all that's needed.  See

Thomas E. Dickey

reply via email to

[Prev in Thread] Current Thread [Next in Thread]