[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev -anonymous broken in 2.8.4?
From: |
RobertM |
Subject: |
Re: lynx-dev -anonymous broken in 2.8.4? |
Date: |
Fri, 6 Sep 2002 23:10:30 +0100 (BST) |
Mea Culpa,
Now I'm at home and can actually check my CVS server I find that for
quite a few of these I took a more belt and bracces approach.
It is alleged that Jeff Long once typed:
> RobertM wrote:
> > It is alleged that Jeff Long once typed:
> >>It seems to me that -anonymous is pretty messed up in 2.8.4 when compared
> >>to 2.8.3. For example, when -anonymous is used in 2.8.4 I can:
> >>1) Go to a served file: URL which then can get me into DirEd which then
> >>gets me /etc/passwd
Checking this I also disabled DirEd, that said you shouldn't be able
to got to a file.
> >>2) Use ! to spawn my shell (which isn't a big deal when the shell is a
> >>script that starts lynx)
I lied about this, this was actually a change I made in LYKeymap.c, it
would certainly be a sueful thing to have as a more normal config
option.
However when lynx is being used by a specific anonymous user you can
edit many of these things by:
KEYMAP:!:DO_NOTHING # Spawn default shell
KEYMAP:d:DO_NOTHING # Download current link
> >>3) I can save options to a .lynxrc file
I think I fixed this by both making the file non writable, as well as
editing LYOptions.c to not even give the anonymous user the option.
> >>4) I can save a file to disk (e.g. using the d key)
Also look at restrictions such as:
-restrictions=suspend,useragent,mail,disk_save
> > All of these can be enabled or not for anonymous at compile time.
Faulty memory on my part and lack of sleep.
> >>and perhaps some other things I missed. Perhaps this is the way it is
> >>supposed to work...
> > I suspect this is due to the options set in the copy of lynx you're
> > using. The anonymous lynx client at lynx.scramworks.net certainly
> > won'tlet you do those things, it's running 2.8.4rel.1.
> > However I did go through the options very very carefully.
> Well, I thought I had also gone through them carefully (in both
> userdefs.h and lynx.cfg). I do not see any settings in them for #2.
Use the keymap.
> For #1 I have CAN_ANONYMOUS_GOTO_FILE set to FALSE but it appears that
> -anonymous causes the file_url restriction to be turned off thus
> allowing the file: to work.
Hmm, you're right it is allowed when going by a link. This is most
bad.
> For #3 I cannot find any lynxrc/options settings that apply when
> -anonymous is used in userdefs.h/lynx.cfg.
>
> Same for #4. None of the lynx.cfg/userdefs.h settings seem to apply to
> downloading to disk when -anonymous is used.
>
> My userdefs.h and lynx.cfg are virtually identical between 2.8.3 and
> 2.8.4 which is why I'm a bit confused.
Many apologies, you do seem to be correct on all counts.
--
Robm
873
"Ask not what I can do for the stupid,
but what the stupid can do for me" - Graeme Garden
; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden
- lynx-dev -anonymous broken in 2.8.4?, Jeff Long, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?, RobertM, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?, Jeff Long, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?,
RobertM <=
- Re: lynx-dev -anonymous broken in 2.8.4?, Thomas Dickey, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?, RobertM, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?, Thomas Dickey, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?, RobertM, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?, Bela Lubkin, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?, Thomas Dickey, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?, RobertM, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?, Thomas Dickey, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?, RobertM, 2002/09/06
- Re: lynx-dev -anonymous broken in 2.8.4?, Thomas Dickey, 2002/09/06