lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV lynx.cfg bug in ac-0.28

From: Foteos Macrides
Subject: Re: LYNX-DEV lynx.cfg bug in ac-0.28
Date: Wed, 04 Jun 1997 10:05:55 -0500 (EST) 
Barry Rountree <address@hidden> wrote:
>Re:  lynx2.7.1ac-0.28
>
>When LYMain.c doesn't find lynx.cfg on the
>command line or as an environment variable,
>it then (erroneously?) looks for 
>
>       {$HOME}/.lynxrc  (or lynx.rc)
>
>instead of 
>
>       {$HOME}/lynx.cfg.  
>
>If .lynxrc is found, then lynx_cfg_file 
>is assigned "{$HOME}/.lynxrc" and the actual 
>lynx.cfg file is ignored.
>
>This is not a problem for lynx2-7-1 or 
>fotemods as of June 3rd, as neither of them
>attempt to find the lynx.cfg in $HOME.
>
>The included patch seems to fix it, but as
>this is my first contributed patch, I'd 
>prefer strict scrutiny. 

        Note that the suggestion to seek lynx.cfg in $HOME has been
made in the past, and rejected for security reasons, which may not
seem important for the growing number of people using Lynx on
personal computers, but still are when Lynx is used on managed
multiuser systems.  In contrast to the RC file, the configuration
file contains a number of security-related settings.  If a site
is relying on the userdefs.h definition for locating lynx.cfg,
users of Lynx in anonymous, validating, or captive (no shell)
accounts need only arrange to have a file with name lynx.cfg
deposited in $HOME, and then log in again, to circumvent the
site's configured security precautions.  No one can guarantee that
such a spoof is impossible with code as complicated as that for
Lynx.  For the vanilla and +fotemods code sets, those with shell
access who want the lynx.cfg sought in $HOME can set the LYNX_CFG
environment variable to ~/lynx.cfg (on both Unix and VMS, and
presumeably the '~' could be make to work that way with the
DOS/WIN/NT ports too).  You also can set up an alias for invoking
Lynx, which includes a -cfg=foo switch.  That's important for sites
using a telnetd which allows pre-passage of environment variables.
Guard against unbridled featuritis/conveniencitis in Lynx development.

                                Fote

=========================================================================
 Foteos Macrides            Worcester Foundation for Biomedical Research
 address@hidden         222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]