lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] [pkg-lynx-maint] CVE-2016-9179 (invalid URL parsing with

From: Thomas Dickey
Subject: Re: [Lynx-dev] [pkg-lynx-maint] CVE-2016-9179 (invalid URL parsing with '?')
Date: Wed, 16 Nov 2016 04:16:37 -0500
User-agent: Mutt/1.5.21 (2010-09-15) 
On Wed, Nov 16, 2016 at 08:41:46AM +0100, Axel Beckert wrote:
> Hi Thomas,
> 
> Thomas Dickey wrote:
> > On Wed, Nov 16, 2016 at 12:30:59AM +0100, Axel Beckert wrote:
> > > Thomas Dickey wrote:
> > > > > > Alert!: User/password may appear to be a hostname: 'google.com?' 
> > > > > > (e.g, 'google.com')
> > > > > > 
> > > > > > Then it takes me to http://www.debian.org/
> > > > > 
> > > > > yes - and I was using the trace to see if I'd gotten the right host.
> > > > > The trace is (based on strace...) incorrect.  I'll fix that.
> > > > 
> > > > Here's the change which I just applied, which seems to work.
> > > 
> > > At least fixes the redirect target for me.
> > > 
> > > > If there's no further changes needed, I'll release that as dev.11
> > > 
> > > I though wonder if the "User/password may appear to be a
> > > hostname" alert is now still needed for that case.
> > 
> > Technically it's not needed, but some people apparently believe that
> > dots in a username makes it a hostname.
> 
> That's my point: The case http://address@hidden/ doesn't
> have a user name -- it just has a host name and a query string.
> 
> So IMHO the warning is obsolete in this specific case, i.e. with "?@"
> without "/" before it.

I see (for dev.12, then - dev.11 was last night)

-- 
Thomas E. Dickey <address@hidden>
http://invisible-island.net
ftp://invisible-island.net

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]