Re: [Lynx-dev] security problem in EXTERNAL on Windows

[patakuti]

On Sat, 26 Nov 2005, I wrote:

> I found a security problem in some versions of lynx, includes
> 2.8.5rel.1 and 2.8.6dev.15.
> 
> There may be some risks when executing external programs against
> malicious URL by EXTERNAL mechanism on Windows platform.
> 
> I wrote a patch for 2.8.6dev.15 and tested on Windows XP.
> I did only on Windows XP but the behavior is different on Win95/98 and
> WinNT/2000/XP.  So I'm happy if someone test on above platforms.

I updated my patch because Lynx passed the path, in which some
characters are encoded, to the external program when the URL is file
scheme with the last patch.

For example, 
    file://localhost/c:/foo%20bar.txt
is encoded to
    c:/foo^%20bar.txt
and it's passed to the external program.  It's safe but many programs
can't recognize it as a proper local path.  They expect 
"c:/foo bar.txt".
# It seems that slash(/) instead of backslash(\) doesn't matter here.

On the other hand it's ok for other scheme except file, so
I made it have other transaction for file scheme than others.

And I have to write that we should to use start command or batch file
as EXTERNAL program.  Or special characters in the parameter are
passed to a program as escaped form.

# Special characters (&, ^, %) are escaped by ^.
# I hadn't know that the handling against special character are
# difference by normal commands and start command or batch file.

Please note this patch is for original 2.8.6dev.15.  Don't apply both
this and former one.
--
Takeshi Hataguchi
E-mail: address@hidden

lynx.patch_for_286dev15-2
Description: Binary data