[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2016-9179 (invalid URL parsing with '?')

Hi Salvatore,

since your mail went to debian-lts, too, I've allowed myself, to also
Cc upstream and the Debian Lynx Packaging Team on that discussion.

Previosus mails of that discussion can be found on
https://lists.debian.org/debian-lts/2016/11/msg00072.html ff.

Salvatore Bonaccorso wrote:
> > Just wondered why you marked CVE-2016-9179 as Slight mitigation in
> > 2.8.9dev.10? Is there any documentation that says talks about the
> > changes in 2.8.9dev.10?
> The update in 2.8.9dev.10 does not really fix the issue (thus the bug
> was as well not closed by the maintainer I think),

Actually I missed that bug report for some reason. I noticed the open
CVE via https://udd.debian.org/dmd.cgi?email1=abe%40debian.org and
https://packages.qa.debian.org/l/lynx.html -- and at least when I
noticed the CVE, there was no bug report yet, so when I noticed the
CVE being mentioned in the upstream changelog, I just referred to

I've updated the changelog entry to also mention the bug report:
Thanks for checking back with me.

> because it only "improves" the message. I do not have an isolated
> change at hand, but
> https://anonscm.debian.org/cgit/pkg-lynx/lynx.git/commit/?id=cac725f0f5c4bb35091a06e90c876195e907ea9e
> documents the 2.8.9dev.10 import:
> +* improve warning message when stripping user/password from URL; report on
> +  http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the
> +  punctuation such as "?" which is permitted by RFC-1738 in a user or password
> +  field.  RFC-3986 subsequently modified this.  The improved message points out
> +  the possible confusion by users when these fields contain punctuation -TD
> but you still will be -- in contrary to other browsers -- be
> redirected to the wrong site. E.g. 
> lynx http://google.com?@www.debian.org/
> will/should still direct you to the wrong place.

I read the upstream changelog entry as if there are different opinions
on which is correct behaviour for this case.

_IMHO_ Lynx behaves correctly in this case and all other browsers behave
wrongly since there is no trailing slash behind "google.com". But
let's check the facts:

According to https://tools.ietf.org/html/rfc1738#section-3.3 using a
"?" without a "/" before it is only allowed if nothing follows the
question mark. (Yes, it's a little ambigous there.) But then again,
RFC 1738 explicitly states about HTTP: "No user name or password is
allowed." So it's not much of help here.

On the other hand, https://tools.ietf.org/html/rfc3986#section-3.2
states clearly that the authority part (which includes the host name,
but optionally also user name and password) is terminates by _either_
"/", "?", or "#".

So according to RFC 3986 and 2396 (obsoleted by 3986), this is clearly
a bug in Lynx despite my gut feeling said otherwise. But according to
RFC 1738 (which has been updated but not obsoleted by other RFCs) it's
correct, but includes an unsupported respectively explicitly excluded
feature. So I conclude that RFC 1738 can't be applied to this issue
and RFC 3986 should be the reference.

		Regards, Axel
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Reply to: