lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LYNX-DEV using /../ in lynxexec:


From: tysko
Subject: LYNX-DEV using /../ in lynxexec:
Date: Wed, 15 Jan 1997 17:18:25 -0500 (EST)

   When using the TRUSTED_EXEC entry in the cfg file, it seems to be
possible to bypass security using the /../ notation, as in:

lynxexec:/lynx/bin/../../usr/bin/sh

I removed the problem on our system by searching for "/../" in LYGetFile.c
as it validate a lynxexec command, but it is rather ugly. Any one have an
easier way?

  Oh, and does anyone have a way to prevent a url of    file:/
from being executed? Something similar to a ROOTFILE parameter/


John


;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]