Re: [Lynx-dev] session→syslog?!

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] session→syslog?!

From:	Thomas Dickey
Subject:	Re: [Lynx-dev] session→syslog?!
Date:	Wed, 10 Nov 2010 17:01:42 -0500 (EST)

On Wed, 10 Nov 2010, Thorsten Glaser wrote:

This is a more than serious bug (possible disclosure of passwords,
definitive disclosure of privacy), if lynx does this out of the box:


syslog's been there more than ten years (look in CHANGES):

2009-08-28 (2.8.8dev.1)
* change compiled-in default for SYSLOG_REQUESTED_URLS to false (prompted by
  Debian #537907) -TD

see also

2004-12-30 (2.8.6dev.9)
* add command-line option (-syslog-urls) and lynx.cfg settings (SYSLOG_TEXT,
  SYSLOG_REQUESTED_URLS) to allow syslog'ing of URLs to be optional.  This
  cannot be set from the options menu (Debian #282739) -TD

1999-09-13 (2.8.3dev.9)
* fix potential security problem with SYSLOG_REQUESTED_URLS, which would let
  syslog() send sensitive information as broadcast to any syslog daemon that
  care to listen.
  E.g. URLs with embedded passwords are sent to syslog:
    Sep 11 12:26:06 lynx[16177]: ftp://joe:address@hidden/~joe
  The patch masks the password by breaking up the URL and replacing
  the password with "******" (Gisle Vanem <address@hidden>).

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Lynx-dev] Re: session→syslog?!, (continued)
- Re: [Lynx-dev] session→syslog?!, Thomas Dickey <=

Prev by Date: Re: [Lynx-dev] Re: session→syslog?!
Next by Date: [Lynx-dev] .lynxrc vs. lynx.cfg vs. -flags
Previous by thread: Re: [Lynx-dev] Re: session???syslog?!
Next by thread: [Lynx-dev] merge -dump and -source output?
Index(es):
- Date
- Thread