lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV WebStar Server with DynaMorph problems


From: Doug Kaufman
Subject: Re: LYNX-DEV WebStar Server with DynaMorph problems
Date: Sun, 2 Nov 1997 12:48:36 -0800 (PST)

On Sat, 1 Nov 1997, Klaus Weide wrote:

> 1997-07-02
>   ...
> * Mods in LYGetFile.c to include URLs with content from a form submission
>   with method GET in the group for which Referer headers are never sent,
>   because the content might include private (e.g., password or credit
>   card) information which should not be visible in Referer logs. - FM
> 
> So it appears we have a conflict of interest here, since I FM's concern
> is a valid one.
> 
> Anyway, the code doing this additional check is
> 
>                     if ((LYNoRefererHeader == FALSE &&
>                          LYNoRefererForThis == FALSE) &&
>                         (url_type == HTTP_URL_TYPE ||
>                          url_type == HTTPS_URL_TYPE) &&
>                         (cp = strchr(HTLoadedDocumentURL(), '?')) != NULL &&
>                         strchr(cp, '=') != NULL) {
>                         /*
>                          *  Don't send a Referer header if the URL is
>                          *  the reply from a form with method GET, in
>                          *  case the content has personal data (e.g.,
>                          *  a password or credit card number) which
>                          *  would become visible in logs. - FM
>                          */
>                         LYNoRefererForThis = TRUE;
>                     }
> 
> You may want to disable this and see whether this really solves the
> immediate problem.

Thanks.  I recompiled lynx with "LYNoRefererForThis = TRUE" disabled and
I am now able to access the site.  The security risk to this seems
real, however.  I hope, that with this reply and your note going to the
editor at cjp.com, that they will change their site setup to a more
secure and "anybrowser" friendly one.

                                    Doug
__
Doug Kaufman
Internet: address@hidden (preferred)
          address@hidden

;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]