lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev HTString.c patch for HTQuoteParameter()

From: Klaus Weide
Subject: Re: lynx-dev HTString.c patch for HTQuoteParameter()
Date: Fri, 14 Jul 2000 10:23:48 -0500 (CDT) 
On Fri, 14 Jul 2000, Thomas E. Dickey wrote:

> VMS uses a different quoting rule (the .com files in Lynx have
> several examples, actually).  But quotes are used mainly to
> evoke symbol substitution or prevent case-conversion by DCL (the shell).

I guess that means that VMS users can easily write dangerous EXTERNAL
statements - commands that do something weird if invoked on the
"wrong" URL - since Lynx doesn't attempt to protect the string
that is inserted for %s.  And there is no way for them to prevent
that, if an URL contains characters like quotes.  One would think
that dangerous characters should only occur in URLs in %-escaped form.
But according to RFC 2396, "'" is just an "unreserved" character
(while <"> is in the "delims" set), so even URLs that are offically
valid according to the specs can contain unencoded "'" characters.
So (if I'm right) VMS users should either never use EXTERNAL, or use
the EXTERN key only after carefully examining the URL each time.

Well and the same goes for any other non-UNIX (&& non-cygwin?) users,
if their shell ever interprets characters specially - unless the
protections through quote_pathname() (WIN_EX only) and/or in
LYsystem() are reliable (I have doubts about that).

For things other than EXTERNAL, things aren't so bad it seems.
VIEWER (including mailcap) commands usually operate just on a
lynx-constructed temp file, which of course shouldn't have any
dangerous characters in its name.  Same for DOWNLOADER[*] and PRINTER.
The second %s in DOWNLOADER and PRINTER, if present, is filled
in with a string from the user - if the user types something with
dangerous characters, it my have bad effects, but then the user
just shouldn't do that...

[*] There is an exception for DOWNLOADER: if 'd' is invoked on
a local file while in DIRED mode, normally a temp file copy is
not used, and the URL for the local file is passed directly.
If it contains unencoded special characters, again weird things
can happen.

   Klaus


; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden
reply via email to
[Prev in Thread] Current Thread [Next in Thread]