[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')

On Mon, Nov 14, 2016 at 01:55:32PM +0100, Axel Beckert wrote:
> > +* improve warning message when stripping user/password from URL; report on
> > +  http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the
> > +  punctuation such as "?" which is permitted by RFC-1738 in a user or password
> > +  field.  RFC-3986 subsequently modified this.  The improved message points out
> > +  the possible confusion by users when these fields contain punctuation -TD
> > 
> > but you still will be -- in contrary to other browsers -- be
> > redirected to the wrong site. E.g. 
> > 
> > lynx http://google.com?@www.debian.org/

Interesting enough, when I look at the trace, lynx dev.10 is doing this:

HTTP: Not sending authorization (yet).
GET / HTTP/1.0\r
Host: google.com\r
Accept: text/html, text/plain, text/sgml, text/css, application/xhtml+xml, */*;q=0.01\r
Accept-Encoding: gzip, deflate, compress, bzip2\r
Accept-Language: en\r
User-Agent: Lynx/2.8.9dev.10 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1t\r

> > will/should still direct you to the wrong place.

perhaps (I may have overlooked some case, but that would be a new bug report).

Thomas E. Dickey <dickey@invisible-island.net>

Attachment: signature.asc
Description: Digital signature

Reply to: