[pkg-lynx-maint] [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Thomas Dickey
dickey at his.com
Tue Nov 15 10:06:16 UTC 2016
On Tue, Nov 15, 2016 at 04:07:20AM -0500, Thomas Dickey wrote:
> On Tue, Nov 15, 2016 at 06:13:59PM +1100, Brian May wrote:
> > Thomas Dickey <dickey at his.com> writes:
> >
> > > Interesting enough, when I look at the trace, lynx dev.10 is doing this:
> >
> > With lynx 2.8.9dev10-1 from Debian unstable, if I type in:
> >
> > lynx 'http://google.com?@www.debian.org/'
> >
> > Then I get the following warning that appears on screen for one second
> > (easy to miss):
> >
> > Alert!: User/password may appear to be a hostname: 'google.com?' (e.g, 'google.com')
> >
> > Then it takes me to http://www.debian.org/
>
> yes - and I was using the trace to see if I'd gotten the right host.
> The trace is (based on strace...) incorrect. I'll fix that.
Here's the change which I just applied, which seems to work.
If there's no further changes needed, I'll release that as dev.11
A pointer to a web archive of this discussion would be useful.
(I updated the lynx-snapshots, in case anyone's curious).
--
Thomas E. Dickey <dickey at invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lynx2.8.9dev.10a.patch.gz
Type: application/octet-stream
Size: 3988 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-lynx-maint/attachments/20161115/f492e426/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-lynx-maint/attachments/20161115/f492e426/attachment.sig>
More information about the pkg-lynx-maint
mailing list