[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')

Thomas Dickey <dickey@his.com> writes:

> Interesting enough, when I look at the trace, lynx dev.10 is doing this:

With lynx 2.8.9dev10-1 from Debian unstable, if I type in:

lynx 'http://google.com?@www.debian.org/'

Then I get the following warning that appears on screen for one second
(easy to miss):

Alert!: User/password may appear to be a hostname: 'google.com?' (e.g, 'google.com')

Then it takes me to http://www.debian.org/
Brian May <bam@debian.org>

Reply to: