Package: w3m Version: 0.5.3-19 Severity: important Dear Maintainer,
The "HTTP_PROXY" variable is silently ignored! This is very dangerous, because a privoxy/tor user who relies on this setting for privacy will be compromised, and they generally will not even be aware of the compromise because the browser retrieves pages over an untrusted connection without warning. For example, suppose a tor user configures privoxy on port 8118. This is how /usr/share/doc/w3m/FAQ.html documents a proxy should be configured, yet it yields an exposed session: $ export HTTP_PROXY=http://localhost:8118 $ w3m To prove that this bug exists, a tor user can run: $ HTTP_PROXY=http://127.0.0.1:8118 w3m https://torstatus.blutmagie.de/ The page reports that the connection is not from the tor network. -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages w3m depends on: ii libc6 2.19-18 ii libgc1c2 1:7.2d-6.4 ii libgpm2 1.20.4-6.1+b2 ii libssl1.0.0 1.0.1k-3+deb8u1 ii libtinfo5 5.9+20140913-1+b1 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages w3m recommends: ii ca-certificates 20141019 Versions of packages w3m suggests: pn cmigemo <none> ii man-db 2.7.0.2-5 ii mime-support 3.58 pn w3m-el <none> pn w3m-img <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
