lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pubLynx reinstated LYNX-DEV

From: Foteos Macrides
Subject: Re: pubLynx reinstated LYNX-DEV
Date: Mon, 07 Jul 1997 10:58:27 -0500 (EST) 
Nelson Henry Eric <address@hidden> wrote:
>>   A thread has started locally in relation to a community network.   The 
>> assumption was made that if you limited to G)oto, then you were 
>> protected.   This makes the assumption that the attacker does not have 
>
>Not a good idea to even dream that people won't do their best to abuse a
>public service.  You wouldn't believe the dodge ball game I play with
>turkeys over here.
>
>> access to a WEB site themselves.   If you put the LYNXDOWNLOAD: into a 
>> remote WEB page, does the problem not still result?
>
>No.  Fote completely plugged that hole (and others).  As I interpret
>FOTEMODS, none of the "LYNXwhatevers" are acted upon when linked to
>from an off-site document.  (It would have to be in a file://localhost
>URL.)

        It can't even be "any" file:/localhost host URL.  It must the
temporary file which Lynx created itself.  The new LYNXwhatevers that
were designed as real protocols for generating streams directly rather
than using a temporary file need not be, and thus are not blocked (e.g.,
LYNXKEYMAP:).  However, extended LYNXCOOKIE: URLs, though designed as
such a protocol, are blocked unless they're in the stream returned by
the ^K command.

        As far as the LYNXDOWNLOAD: spoof is concerned, for public access
sites which don't want the entire set of fotemods, they can just swap:

        http://www.slcc.edu/lynx/fote/patches/lynx2-7-1/src/LYDownload.c

into the vanilla v2.7.1 code set.  You can't also swap in LYMainLoop.c,
so you won't get all the other niceties, but just the LYDownload.c swap
will block the LYNXDOWNLOAD: spoof completely.

                                Fote

=========================================================================
 Foteos Macrides            Worcester Foundation for Biomedical Research
 address@hidden         222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]