On Mon, Nov 14, 2016 at 01:55:32PM +0100, Axel Beckert wrote: > > +* improve warning message when stripping user/password from URL; report on > > + http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the > > + punctuation such as "?" which is permitted by RFC-1738 in a user or password > > + field. RFC-3986 subsequently modified this. The improved message points out > > + the possible confusion by users when these fields contain punctuation -TD > > > > but you still will be -- in contrary to other browsers -- be > > redirected to the wrong site. E.g. > > > > lynx http://google.com?@www.debian.org/ Interesting enough, when I look at the trace, lynx dev.10 is doing this: HTTP: Not sending authorization (yet). Writing: GET / HTTP/1.0\r Host: google.com\r Accept: text/html, text/plain, text/sgml, text/css, application/xhtml+xml, */*;q=0.01\r Accept-Encoding: gzip, deflate, compress, bzip2\r Accept-Language: en\r User-Agent: Lynx/2.8.9dev.10 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1t\r \r > > will/should still direct you to the wrong place. perhaps (I may have overlooked some case, but that would be a new bug report). -- Thomas E. Dickey <dickey@invisible-island.net> http://invisible-island.net ftp://invisible-island.net
Attachment:
signature.asc
Description: Digital signature