Re: LYNX-DEV Alleged Lynx security emergency

[Jonathan Sergent]

 ] I assume that what is _really_ being proposed is something like:
 ] 
 ] execl(COPY_PATH, File, SugFile, (char *)NULL);
 ] 
 ] rather than using /bin/cp, since there should never be a hard coded
 ] path to a file to exec coded in lynx's code itself.
 ] 
 ] What function does VMS use in place of exec?  What does Windows use?
 ] 
 ] Perhaps what is needed is a LYexec function which then has #ifdef's
 ] for the various environments?

VMS is already ifdeffed to diff. code almost completely in this function 
(in LYDownload.c).  It does not use the same system() call as UNIX by any 
stretch.  We don't need to change what VMS does (with system()) at all
I don't believe.

This is a Un*x-specific security bug.  I have no idea if it might
affect NT machines as well.  I dunno if the NT shell is advanced enough
to make it a problem. (I believe you can set things up in NT so a user logs
in but has no access to the command prompt, this might thwart that)


--jss.
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;