Re: lynx-dev -anonymous broken in 2.8.4?

[RobertM]

Mea Culpa,

Now I'm at home and can actually check my CVS server I find that for
quite a few of these I took a more belt and bracces approach.

It is alleged that Jeff Long once typed:
> RobertM wrote:
> > It is alleged that Jeff Long once typed:
> >>It seems to me that -anonymous is pretty messed up in 2.8.4 when compared 
> >>to 2.8.3.  For example, when -anonymous is used in 2.8.4 I can:
> >>1) Go to a served file: URL which then can get me into DirEd which then 
> >>gets me /etc/passwd

Checking this I also disabled DirEd, that said you shouldn't be able
to got to a file.

> >>2) Use ! to spawn my shell (which isn't a big deal when the shell is a 
> >>script that starts lynx)

I lied about this, this was actually a change I made in LYKeymap.c, it
would certainly be a sueful thing to have as a more normal config
option.

However when lynx is being used by a specific anonymous user you can
edit many of these things by:

KEYMAP:!:DO_NOTHING             # Spawn default shell
KEYMAP:d:DO_NOTHING             # Download current link

> >>3) I can save options to a .lynxrc file

I think I fixed this by both making the file non writable, as well as
editing LYOptions.c to not even give the anonymous user the option.

> >>4) I can save a file to disk (e.g. using the d key)

Also look at restrictions such as:
-restrictions=suspend,useragent,mail,disk_save

> > All of these can be enabled or not for anonymous at compile time.

Faulty memory on my part and lack of sleep.

> >>and perhaps some other things I missed.  Perhaps this is the way it is 
> >>supposed to work...
> > I suspect this is due to the options set in the copy of lynx you're
> > using. The anonymous lynx client at lynx.scramworks.net certainly
> > won'tlet you do those things, it's running 2.8.4rel.1.
> > However I did go through the options very very carefully.
> Well, I thought I had also gone through them carefully (in both 
> userdefs.h and lynx.cfg).  I do not see any settings in them for #2.

Use the keymap.

> For #1 I have CAN_ANONYMOUS_GOTO_FILE set to FALSE but it appears that 
> -anonymous causes the file_url restriction to be turned off thus 
> allowing the file: to work.

Hmm, you're right it is allowed when going by a link. This is most
bad.

> For #3 I cannot find any lynxrc/options settings that apply when 
> -anonymous is used in userdefs.h/lynx.cfg.
> 
> Same for #4.  None of the lynx.cfg/userdefs.h settings seem to apply to 
> downloading to disk when -anonymous is used.
> 
> My userdefs.h and lynx.cfg are virtually identical between 2.8.3 and 
> 2.8.4 which is why I'm a bit confused.

Many apologies, you do seem to be correct on all counts.

-- 
Robm
873
  "Ask not what I can do for the stupid, 
         but what the stupid can do for me" - Graeme Garden

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden