Re: lynx-dev have big patch

[Klaus Weide]

On Thu, 3 Jun 1999, Henry Nelson wrote:

> > In that category there is particularly the breakdown of -restrictions
> > logic that has occurred; various other restriction issues (including
> > fixing, I hope, a hole where restrictions could be circumvented using
> 
> Do you have an approximate date when the breakdown occured; in other
> words, prior to which release is the -restrictions logic intact?

What I call the "breakdown" seems to have started when the LYNXCFG:
and LYNXCOMPILEOPTS: pages were introduced, or rather when they were
first restricted for -anonymous.  According to CHANGES*, that would have
been

   1998-09-25 (2.8.1pre.2)
   ...
   * modify so that lynx_cfg_infopage() and lynx_compile_opts() pages are not
     invoked when Lynx is running -anonymous - TD

You should be "safe" against unwanted access to those pages as long as
you explicitly use the "-anonymous" flag, but *possibly* not if you use
individual "-restrictions=..." or "-validate".

The other issue regarding form fields (partially quoted above) seems to be
of a much older date, reaching back several versions.  I do not think
it actually can be exploited in a compromising manner in any real-life
situation - it would depend on having a particular kind of form in an
allowed document that has a submit action that should be forbidden, 
and I cannot imagine why anyone would create such a constellation. 

Allowing "news://remote.server/..."; with -localhost seems to be another
hole that needs fixing (please test in your version).

   Klaus