[pkg-lynx-maint] Bug#791452: lynx: http_proxy variable silently ignored!
Nomen Nescio
nobody at dizum.com
Sun Jul 5 02:07:53 UTC 2015
Package: lynx
Version: 2.8.9dev1-2
Severity: important
Dear Maintainer,
The "http_proxy" variable is silently ignored! This is very
dangerous, because a privoxy/tor user who relies on this setting for
privacy will be compromised, and they generally will not even be aware
of the compromise because the browser retrieves pages over an
untrusted connection without warning.
For example, suppose a tor user configures privoxy on port 8118. This
will yield an exposed session:
$ export http_proxy=http://localhost:8118
$ lynx
To prove that this bug exists, a tor user can run:
$ http_proxy=http://127.0.0.1:8118 lynx https://torstatus.blutmagie.de/
and see the message saying that the connection is not from the tor
network.
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lynx depends on:
ii lynx-cur 2.8.9dev1-2+b1
lynx recommends no packages.
lynx suggests no packages.
-- no debconf information
More information about the pkg-lynx-maint
mailing list