[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] session→syslog?!

From: Thomas Dickey
Subject: Re: [Lynx-dev] session→syslog?!
Date: Wed, 10 Nov 2010 17:01:42 -0500 (EST)

On Wed, 10 Nov 2010, Thorsten Glaser wrote:

This is a more than serious bug (possible disclosure of passwords,
definitive disclosure of privacy), if lynx does this out of the box:

syslog's been there more than ten years (look in CHANGES):

2009-08-28 (2.8.8dev.1)
* change compiled-in default for SYSLOG_REQUESTED_URLS to false (prompted by
  Debian #537907) -TD

see also

2004-12-30 (2.8.6dev.9)
* add command-line option (-syslog-urls) and lynx.cfg settings (SYSLOG_TEXT,
  SYSLOG_REQUESTED_URLS) to allow syslog'ing of URLs to be optional.  This
  cannot be set from the options menu (Debian #282739) -TD

1999-09-13 (2.8.3dev.9)
* fix potential security problem with SYSLOG_REQUESTED_URLS, which would let
  syslog() send sensitive information as broadcast to any syslog daemon that
  care to listen.
  E.g. URLs with embedded passwords are sent to syslog:
    Sep 11 12:26:06 lynx[16177]: ftp://joe:address@hidden/~joe
  The patch masks the password by breaking up the URL and replacing
  the password with "******" (Gisle Vanem <address@hidden>).

Thomas E. Dickey

reply via email to

[Prev in Thread] Current Thread [Next in Thread]