[pkg-lynx-maint] [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Thomas Dickey
dickey at his.com
Wed Nov 16 00:33:34 UTC 2016
On Wed, Nov 16, 2016 at 12:30:59AM +0100, Axel Beckert wrote:
> Hi Thomas,
>
> Thomas Dickey wrote:
> > > > Alert!: User/password may appear to be a hostname: 'google.com?' (e.g, 'google.com')
> > > >
> > > > Then it takes me to http://www.debian.org/
> > >
> > > yes - and I was using the trace to see if I'd gotten the right host.
> > > The trace is (based on strace...) incorrect. I'll fix that.
> >
> > Here's the change which I just applied, which seems to work.
>
> At least fixes the redirect target for me.
>
> > If there's no further changes needed, I'll release that as dev.11
>
> I though wonder if the "User/password may appear to be a
> hostname" alert is now still needed for that case.
Technically it's not needed, but some people apparently believe that
dots in a username makes it a hostname. May as well make them look
closer.
--
Thomas E. Dickey <dickey at invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-lynx-maint/attachments/20161115/54215a9a/attachment.sig>
More information about the pkg-lynx-maint
mailing list