[pkg-lynx-maint] [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')

Axel Beckert abe at debian.org
Wed Nov 16 07:41:46 UTC 2016


Hi Thomas,

Thomas Dickey wrote:
> On Wed, Nov 16, 2016 at 12:30:59AM +0100, Axel Beckert wrote:
> > Thomas Dickey wrote:
> > > > > Alert!: User/password may appear to be a hostname: 'google.com?' (e.g, 'google.com')
> > > > > 
> > > > > Then it takes me to http://www.debian.org/
> > > > 
> > > > yes - and I was using the trace to see if I'd gotten the right host.
> > > > The trace is (based on strace...) incorrect.  I'll fix that.
> > > 
> > > Here's the change which I just applied, which seems to work.
> > 
> > At least fixes the redirect target for me.
> > 
> > > If there's no further changes needed, I'll release that as dev.11
> > 
> > I though wonder if the "User/password may appear to be a
> > hostname" alert is now still needed for that case.
> 
> Technically it's not needed, but some people apparently believe that
> dots in a username makes it a hostname.

That's my point: The case http://google.com?@www.debian.org/ doesn't
have a user name -- it just has a host name and a query string.

So IMHO the warning is obsolete in this specific case, i.e. with "?@"
without "/" before it.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE



More information about the pkg-lynx-maint mailing list