lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

lynx-dev Re: lynx and www.clicktv.com


From: Doug Kaufman
Subject: lynx-dev Re: lynx and www.clicktv.com
Date: Sun, 31 Oct 1999 00:05:28 -0700 (PDT)

Back in March, Bruce Toews wrote about problems doing searches on
www.clicktv.com. There was never a satisfactory answer. After recent
discussion with him, and some test compiles of lynx, it turns out that
this is the same problem I had two years ago with another site. This
site depends on a REFERER header in a reply to a form with GET. Klaus
gave the answer two years ago:

>      * To: address@hidden
>      * Subject: Re: LYNX-DEV WebStar Server with DynaMorph problems
>      * From: Doug Kaufman <address@hidden>
>      * Date: Sun, 2 Nov 1997 12:48:36 -0800 (PST)
>      * Cc: address@hidden
>      * In-Reply-To:
>        <address@hidden>
>      * Reply-To: address@hidden
>      * Sender: address@hidden
>      _________________________________________________________________
>    
> On Sat, 1 Nov 1997, Klaus Weide wrote:
> 
> > 1997-07-02
> >   ...
> > * Mods in LYGetFile.c to include URLs with content from a form submission
> >   with method GET in the group for which Referer headers are never sent,
> >   because the content might include private (e.g., password or credit
> >   card) information which should not be visible in Referer logs. - FM
> >
> > So it appears we have a conflict of interest here, since I FM's concern
> > is a valid one.
> >
> > Anyway, the code doing this additional check is
> >
> >                     if ((LYNoRefererHeader == FALSE &&
> >                          LYNoRefererForThis == FALSE) &&
> >                         (url_type == HTTP_URL_TYPE ||
> >                          url_type == HTTPS_URL_TYPE) &&
> >                         (cp = strchr(HTLoadedDocumentURL(), '?')) != NULL &&
> >                         strchr(cp, '=') != NULL) {
> >                         /*
> >                          *  Don't send a Referer header if the URL is
> >                          *  the reply from a form with method GET, in
> >                          *  case the content has personal data (e.g.,
> >                          *  a password or credit card number) which
> >                          *  would become visible in logs. - FM
> >                          */
> >                         LYNoRefererForThis = TRUE;
> >                     }
> >
> > You may want to disable this and see whether this really solves the
> > immediate problem.
> 
> Thanks.  I recompiled lynx with "LYNoRefererForThis = TRUE" disabled and
> I am now able to access the site.  The security risk to this seems
> real, however.  I hope, that with this reply and your note going to the
> editor at cjp.com, that they will change their site setup to a more
> secure and "anybrowser" friendly one.


This fix also works with the www.clicktv.com site. The problem is only
with the Canadian version, which may be why no answer was forthcoming
earlier. The US version uses a different search mechanism that doesn't
violate lynx security measures.
                              Doug

>      _________________________________________________________________
>    
>      * To: Philip Webb <address@hidden>
>      * Subject: Re: lynx-dev Problem with Lynx and
>        [6]http://www.clicktv.com
>      * From: Bruce Toews <address@hidden>
>      * Date: Wed, 10 Mar 1999 18:13:02 -0600 (CST)
>      * cc: address@hidden
>      * In-Reply-To: <address@hidden>
>      _________________________________________________________________
>    
> Hi. I have taken the liberty to set up a dummy account on www.clicktv.com
> to help illustrate the problem I am having. I should have done this
> earlier, I'm sorry. It is set up exactly as my own account is set up. Go
> to www.clicktv.com. Enter option five, for members. Go down to the sign-in
> section, enter "lynxtest" as the username and "dummy" as the password,
> without the quotes of course. Leave the cookie option unchecked and submit
> the sign-in form. You are taken immediately to the basic search page. At
> the top of the second screen is the key-word section. As an example, type
> in jeopardy. Keep the "all channels" button checked as per the default.
> Scroll down, leaving all options as is, until you get to "search" and
> select it. What *hould* come up, and what does come up in earlier
> versions, is a list of all the occurences of Jeopardy in my TV lineup for
> the next two weeks. Instead, I get a blank search screen.
> 
> I hope this detail is of assistance. I do appreciate your prompt reply.
> 
> On Wed, 10 Mar 1999, Philip Webb wrote:
> 
> > 990309 Bruce Toews wrote:
> > > I am using Lynx version 2.8.1, release 2 on a Unix shell.
> > > I was trying to access the search feature of  www.clicktv.com .
> > > I entered my login name & password, then chose the search function.
> > > all it did when I clicked on the "search" option was return me
> > > to the search screen, with a blank form.  This feature worked fine
> > > until our systems administrator upgraded our shell and thus Lynx.
> >
> > using 2-8-1dev.19 , when i goto your URL there's a `logon' link;
> > i go there & enter my name/password (i've registered just to test it),
> > which takes me to a `listings' link titled `preferences'
> > -- to see the current URL & selected link, use  =  -- ,
> > on which `search' is not a link; going back to `logon',
> > there is a `search' link, which i follow, bringing up a document
> > whose name is `search' but whose title is still `preferences'
> > entering a dummy zip code (98105, where i once lived),
> > i am taken to an appropriate listing of cable TV services for Seattle,
> > in a document named & titled `preferences':
> > presumably, that's what you're aiming for.
> >
> > possibly you are being misled by several documents with the same title,
> > but if you have a different experience moving within the site,
> > explain it with the same detail & someone may be able to help.
> > remember that the site may have changed as well as your ISP's Lynx.

__
Doug Kaufman
Internet: address@hidden


reply via email to

[Prev in Thread] Current Thread [Next in Thread]