[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
LYNX-DEV Three More no_proxy Weaknesses (two patched)
From: |
pg |
Subject: |
LYNX-DEV Three More no_proxy Weaknesses (two patched) |
Date: |
Sun, 8 Feb 1998 18:41:53 -0700 (MST) |
Hello, Lyncei,
If I enter a URL for a no_proxy host, but in a different case
from the no_proxy environment variable, the proxy is used anyway
because of a case-sensitive strncmp in override_proxy.
-------------------------------------------------------
The tail-only comparison in override_proxy is overly lenient.
For example, if there's a lynx.cfg entry:
no_proxy:tek.com
this will erroneously (IMO) override the proxy for
domain stortek.com, where it should override for
stor.tek.com, but not for stortek.com, which may be
an entirely unrelated domain.
-------------------------------------------------------
Patch attached to use case-insensitive comparison and
to demand that the last omitted character be '.'.
-------------------------------------------------------
Within our firewall, authors feel free to use unqualified
hostnames. Although these should bypass the proxy, there's
no easy way to do this with the no_proxy variable.
-- gil
-------------------------------------------------------
diff -brc ./orig/lynxsrc/WWW/Library/Implementation/HTAccess.c
./lynxsrc/WWW/Library/Implementation/HTAccess.c
*** ./orig/lynxsrc/WWW/Library/Implementation/HTAccess.c Mon Nov 17
19:09:44 1997
--- ./lynxsrc/WWW/Library/Implementation/HTAccess.c Sun Feb 8 18:29:34 1998
***************
*** 312,318 ****
if ((!templ_port || templ_port == port) &&
(t_len > 0 && t_len <= h_len &&
! !strncmp(Host + h_len - t_len, no_proxy, t_len))) {
FREE(host);
return YES;
}
--- 312,319 ----
if ((!templ_port || templ_port == port) &&
(t_len > 0 && t_len <= h_len &&
! (t_len >= h_len || Host[h_len - t_len - 1] == '.') &&
! !strncasecomp(Host + h_len - t_len, no_proxy, t_len))) {
FREE(host);
return YES;
}
- LYNX-DEV Three More no_proxy Weaknesses (two patched),
pg <=