[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev have big patch
From: |
Klaus Weide |
Subject: |
Re: lynx-dev have big patch |
Date: |
Thu, 3 Jun 1999 07:23:00 -0500 (CDT) |
On Thu, 3 Jun 1999, Henry Nelson wrote:
> > In that category there is particularly the breakdown of -restrictions
> > logic that has occurred; various other restriction issues (including
> > fixing, I hope, a hole where restrictions could be circumvented using
>
> Do you have an approximate date when the breakdown occured; in other
> words, prior to which release is the -restrictions logic intact?
What I call the "breakdown" seems to have started when the LYNXCFG:
and LYNXCOMPILEOPTS: pages were introduced, or rather when they were
first restricted for -anonymous. According to CHANGES*, that would have
been
1998-09-25 (2.8.1pre.2)
...
* modify so that lynx_cfg_infopage() and lynx_compile_opts() pages are not
invoked when Lynx is running -anonymous - TD
You should be "safe" against unwanted access to those pages as long as
you explicitly use the "-anonymous" flag, but *possibly* not if you use
individual "-restrictions=..." or "-validate".
The other issue regarding form fields (partially quoted above) seems to be
of a much older date, reaching back several versions. I do not think
it actually can be exploited in a compromising manner in any real-life
situation - it would depend on having a particular kind of form in an
allowed document that has a submit action that should be forbidden,
and I cannot imagine why anyone would create such a constellation.
Allowing "news://remote.server/..." with -localhost seems to be another
hole that needs fixing (please test in your version).
Klaus
- Re: lynx-dev have big patch, (continued)
- Re: lynx-dev have big patch, dickey, 1999/06/03
- Re: lynx-dev have big patch, Henry Nelson, 1999/06/03
- Re: lynx-dev have big patch,
Klaus Weide <=
- Re: lynx-dev have big patch, dickey, 1999/06/03
- Re: lynx-dev have big patch, dickey, 1999/06/03
- Re: lynx-dev have big patch, dickey, 1999/06/03
Re: lynx-dev have big patch, Henry Nelson, 1999/06/03
Re: lynx-dev have big patch, dickey, 1999/06/03
Re: lynx-dev have big patch, dickey, 1999/06/04