lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')


From: Thomas Dickey
Subject: Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Date: Tue, 15 Nov 2016 05:06:16 -0500
User-agent: Mutt/1.5.21 (2010-09-15)

On Tue, Nov 15, 2016 at 04:07:20AM -0500, Thomas Dickey wrote:
> On Tue, Nov 15, 2016 at 06:13:59PM +1100, Brian May wrote:
> > Thomas Dickey <address@hidden> writes:
> > 
> > > Interesting enough, when I look at the trace, lynx dev.10 is doing this:
> > 
> > With lynx 2.8.9dev10-1 from Debian unstable, if I type in:
> > 
> > lynx 'http://address@hidden/'
> > 
> > Then I get the following warning that appears on screen for one second
> > (easy to miss):
> > 
> > Alert!: User/password may appear to be a hostname: 'google.com?' (e.g, 
> > 'google.com')
> > 
> > Then it takes me to http://www.debian.org/
> 
> yes - and I was using the trace to see if I'd gotten the right host.
> The trace is (based on strace...) incorrect.  I'll fix that.

Here's the change which I just applied, which seems to work.
If there's no further changes needed, I'll release that as dev.11

A pointer to a web archive of this discussion would be useful.
(I updated the lynx-snapshots, in case anyone's curious).

-- 
Thomas E. Dickey <address@hidden>
http://invisible-island.net
ftp://invisible-island.net

Attachment: lynx2.8.9dev.10a.patch.gz
Description: Binary data

Attachment: signature.asc
Description: Digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]