Re: [Lynx-dev] [pkg-lynx-maint] CVE-2016-9179 (invalid URL parsing with

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] [pkg-lynx-maint] CVE-2016-9179 (invalid URL parsing with

From:	David Woolley
Subject:	Re: [Lynx-dev] [pkg-lynx-maint] CVE-2016-9179 (invalid URL parsing with '?')
Date:	Wed, 16 Nov 2016 10:05:53 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0

On 16/11/16 07:41, Axel Beckert wrote:

That's my point: The case http://address@hidden/ doesn't
have a user name -- it just has a host name and a query string.


It does have a user part:

user             =  1*( unreserved / escaped / user-unreserved )
user-unreserved  =  "&" / "=" / "+" / "$" / "," / ";" / "?" / "/"

As you can see, "?" is a user-unreserved character and thereforeallowable in a user part.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?'), (continued)

Prev by Date: Re: [Lynx-dev] [pkg-lynx-maint] CVE-2016-9179 (invalid URL parsing with '?')
Next by Date: Re: [Lynx-dev] [pkg-lynx-maint] CVE-2016-9179 (invalid URL parsing with '?')
Previous by thread: Re: [Lynx-dev] [pkg-lynx-maint] CVE-2016-9179 (invalid URL parsing with '?')
Next by thread: Re: [Lynx-dev] [pkg-lynx-maint] CVE-2016-9179 (invalid URL parsing with '?')
Index(es):
- Date
- Thread