[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Lynx-dev] CVE-2016-9179 (invalid URL parsing with '?')

On Tue, Nov 15, 2016 at 06:13:59PM +1100, Brian May wrote:
> Thomas Dickey <dickey@his.com> writes:
> > Interesting enough, when I look at the trace, lynx dev.10 is doing this:
> With lynx 2.8.9dev10-1 from Debian unstable, if I type in:
> lynx 'http://google.com?@www.debian.org/'
> Then I get the following warning that appears on screen for one second
> (easy to miss):
> Alert!: User/password may appear to be a hostname: 'google.com?' (e.g, 'google.com')
> Then it takes me to http://www.debian.org/

yes - and I was using the trace to see if I'd gotten the right host.
The trace is (based on strace...) incorrect.  I'll fix that.

Thomas E. Dickey <dickey@invisible-island.net>

Attachment: signature.asc
Description: Digital signature

Reply to: