Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)

[H E Nelson]

> Now, all that said....  the ability to get a shell, or cause lynx to pass 
> arbitrary _user-supplied_input_ to the system() command *is* a 'bad thing',
> and should be plugged.  Refusing to process any strings containing any 
> shell 'special' characters could be a good stat.

Question I have is why it is necessary for Lynx to call `sh' to do a
`cp'.  Wayne said something about doing an exec().  Why can't this be
done, or is it not any "safer"?

Fote, your mods look good (aren't they always).  Seems like it should
have been that way all along.  In my second _hour_ of downloading
bind8.1.1 (599Kb), so I won't be able to test Lynx today or tomorrow.

__Henry
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;