Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')

To: dickey@his.com, debian-lts@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Lynx Packaging Team <pkg-lynx-maint@lists.alioth.debian.org>, Lynx Development <lynx-dev@nongnu.org>
Subject: Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
From: Brian May <bam@debian.org>
Date: Tue, 15 Nov 2016 18:13:59 +1100
Message-id: <[🔎] 874m39jjuw.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 20161114230521.GB17430@vmw-debian7-64.jexium-island.net>
References: <[🔎] 87a8d28rln.fsf@prune.linuxpenguins.xyz> <[🔎] 20161114075334.GA27784@lorien.valinor.li> <[🔎] 20161114125531.GS5130@sym.noone.org> <[🔎] 20161114230521.GB17430@vmw-debian7-64.jexium-island.net>

Thomas Dickey <dickey@his.com> writes:

> Interesting enough, when I look at the trace, lynx dev.10 is doing this:

With lynx 2.8.9dev10-1 from Debian unstable, if I type in:

lynx 'http://google.com?@www.debian.org/'

Then I get the following warning that appears on screen for one second
(easy to miss):

Alert!: User/password may appear to be a hostname: 'google.com?' (e.g, 'google.com')

Then it takes me to http://www.debian.org/
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
  - From: Thomas Dickey <dickey@his.com>

References:
- CVE-2016-9179
  - From: Brian May <bam@debian.org>
- Re: CVE-2016-9179
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: CVE-2016-9179 (invalid URL parsing with '?')
  - From: Axel Beckert <abe@debian.org>
- Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
  - From: Thomas Dickey <dickey@his.com>

Prev by Date: Re: Wheezy update of sendmail?
Next by Date: Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Previous by thread: Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Next by thread: Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')
Index(es):
- Date
- Thread