[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev Potential security hole?
|
From: |
T.E.Dickey |
|
Subject: |
Re: lynx-dev Potential security hole? |
|
Date: |
Sat, 18 Sep 1999 08:29:46 -0400 (EDT) |
> Hi there...
>
> I've just run across an announcement of a security hole in lynx. The
> site that announced it doesn't appear to be offering the source patch to
> fix it, and they don't appear to have an AIX binary. I can't find any
> reference to it on the lynx pages, and our site is vulnerable. Have you
> been notified of this bug, and if so, is there a patch that I can
> download to fix it? Thanks in advance...
*** lynx2-8-2.old/WWW/Library/Implementation/HTTCP.c Tue Jul 20 02:19:59
1999
--- lynx2-8-2/WWW/Library/Implementation/HTTCP.c Mon Aug 30 13:08:47
1999
***************
*** 314,319 ****
--- 314,320 ----
** - contains only valid chars for domain names (actually, the
** restrictions are somewhat relaxed),
** - no leading dots or empty segments,
+ ** - no segment starts with '-' or '+' [this protects telnet command],
** - max. length of dot-separated segment <= 63 (RFC 1034,1035),
** - total length <= 254 (if it ends with dot) or 253 (otherwise)
** [an interpretation of RFC 1034,1035, although RFC 1123
***************
*** 341,346 ****
--- 342,349 ----
iseg = 0;
continue;
}
+ } else if (iseg == 0 && (*cp == '-' || *cp == '+')) {
+ return NO;
} else if (++iseg > 63) {
return NO;
}
--
Thomas E. Dickey
address@hidden
http://www.clark.net/pub/dickey