lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] [pkg-lynx-maint] CVE-2016-9179 (invalid URL parsing with


From: Ian Collier
Subject: Re: [Lynx-dev] [pkg-lynx-maint] CVE-2016-9179 (invalid URL parsing with '?')
Date: Wed, 16 Nov 2016 12:52:58 +0000
User-agent: Mutt/1.7.1 (2016-10-04)

On Wed, Nov 16, 2016 at 10:05:53AM +0000, David Woolley wrote:
> user             =  1*( unreserved / escaped / user-unreserved )
> user-unreserved  =  "&" / "=" / "+" / "$" / "," / ";" / "?" / "/"

That seems to be a quote from RFC 3261?  The relevant RFC here is 3986:

      userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )

      sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
                  / "*" / "+" / "," / ";" / "="

I have a few observations about the current Lynx patches, though.

1. From a user's perspective, I'm not sure I understand the difference
   between the messages "User/password may appear to be a hostname" and
   "User/password may be confused with hostname".

2. It currently seems to be impossible to trigger the message "User/password
   contains only punctuation".

3. According to RFC 3986, it's permissible to have an empty password.
   However, lynx http://username:@www.debian.org/ says this:

   Looking up username:@www.debian.org
   Alert!: Address has invalid port
   Unable to locate remote host username:@www.debian.org.

4. If I do something stupid like this:  lynx http://address@hidden/
   then Lynx tries to look up an empty hostname.  This might not be
   considered a bug in the scheme of things; however, if I do
   http://address@hidden/ then it successfully goes
   to google.com and really it should have reported that as an error.

imc



reply via email to

[Prev in Thread] Current Thread [Next in Thread]