[pkg-lynx-maint] [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Thomas Dickey
dickey at his.com
Mon Nov 14 23:05:21 UTC 2016
On Mon, Nov 14, 2016 at 01:55:32PM +0100, Axel Beckert wrote:
> > +* improve warning message when stripping user/password from URL; report on
> > + http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the
> > + punctuation such as "?" which is permitted by RFC-1738 in a user or password
> > + field. RFC-3986 subsequently modified this. The improved message points out
> > + the possible confusion by users when these fields contain punctuation -TD
> >
> > but you still will be -- in contrary to other browsers -- be
> > redirected to the wrong site. E.g.
> >
> > lynx http://google.com?@www.debian.org/
Interesting enough, when I look at the trace, lynx dev.10 is doing this:
HTTP: Not sending authorization (yet).
Writing:
GET / HTTP/1.0\r
Host: google.com\r
Accept: text/html, text/plain, text/sgml, text/css, application/xhtml+xml, */*;q=0.01\r
Accept-Encoding: gzip, deflate, compress, bzip2\r
Accept-Language: en\r
User-Agent: Lynx/2.8.9dev.10 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1t\r
\r
> > will/should still direct you to the wrong place.
perhaps (I may have overlooked some case, but that would be a new bug report).
--
Thomas E. Dickey <dickey at invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-lynx-maint/attachments/20161114/419f070a/attachment.sig>
More information about the pkg-lynx-maint
mailing list