lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')

From: Thomas Dickey
Subject: Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Date: Mon, 14 Nov 2016 18:05:21 -0500
User-agent: Mutt/1.5.21 (2010-09-15) 
On Mon, Nov 14, 2016 at 01:55:32PM +0100, Axel Beckert wrote:
> > +* improve warning message when stripping user/password from URL; report on
> > +  http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error 
> > the
> > +  punctuation such as "?" which is permitted by RFC-1738 in a user or 
> > password
> > +  field.  RFC-3986 subsequently modified this.  The improved message 
> > points out
> > +  the possible confusion by users when these fields contain punctuation -TD
> > 
> > but you still will be -- in contrary to other browsers -- be
> > redirected to the wrong site. E.g. 
> > 
> > lynx http://address@hidden/

Interesting enough, when I look at the trace, lynx dev.10 is doing this:

HTTP: Not sending authorization (yet).
Writing:
GET / HTTP/1.0\r
Host: google.com\r
Accept: text/html, text/plain, text/sgml, text/css, application/xhtml+xml, 
*/*;q=0.01\r
Accept-Encoding: gzip, deflate, compress, bzip2\r
Accept-Language: en\r
User-Agent: Lynx/2.8.9dev.10 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1t\r
\r

> > will/should still direct you to the wrong place.

perhaps (I may have overlooked some case, but that would be a new bug report).

-- 
Thomas E. Dickey <address@hidden>
http://invisible-island.net
ftp://invisible-island.net

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]