Hi Salvatore, since your mail went to debian-lts, too, I've allowed myself, to also Cc upstream and the Debian Lynx Packaging Team on that discussion.
Previosus mails of that discussion can be found on https://lists.debian.org/debian-lts/2016/11/msg00072.html ff. Salvatore Bonaccorso wrote: > > Just wondered why you marked CVE-2016-9179 as Slight mitigation in > > 2.8.9dev.10? Is there any documentation that says talks about the > > changes in 2.8.9dev.10? > > The update in 2.8.9dev.10 does not really fix the issue (thus the bug > was as well not closed by the maintainer I think), Actually I missed that bug report for some reason. I noticed the open CVE via https://udd.debian.org/dmd.cgi?email1=abe%40debian.org and https://packages.qa.debian.org/l/lynx.html -- and at least when I noticed the CVE, there was no bug report yet, so when I noticed the CVE being mentioned in the upstream changelog, I just referred to that. I've updated the changelog entry to also mention the bug report: https://anonscm.debian.org/cgit/pkg-lynx/lynx.git/commit/?id=8216aceb97c5227bc3282e8ba0a61f1739acfcdd Thanks for checking back with me. > because it only "improves" the message. I do not have an isolated > change at hand, but > https://anonscm.debian.org/cgit/pkg-lynx/lynx.git/commit/?id=cac725f0f5c4bb35091a06e90c876195e907ea9e > documents the 2.8.9dev.10 import: > > +* improve warning message when stripping user/password from URL; report on > + http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the > + punctuation such as "?" which is permitted by RFC-1738 in a user or > password > + field. RFC-3986 subsequently modified this. The improved message points > out > + the possible confusion by users when these fields contain punctuation -TD > > but you still will be -- in contrary to other browsers -- be > redirected to the wrong site. E.g. > > lynx http://google.com?@www.debian.org/ > > will/should still direct you to the wrong place. I read the upstream changelog entry as if there are different opinions on which is correct behaviour for this case. _IMHO_ Lynx behaves correctly in this case and all other browsers behave wrongly since there is no trailing slash behind "google.com". But let's check the facts: According to https://tools.ietf.org/html/rfc1738#section-3.3 using a "?" without a "/" before it is only allowed if nothing follows the question mark. (Yes, it's a little ambigous there.) But then again, RFC 1738 explicitly states about HTTP: "No user name or password is allowed." So it's not much of help here. On the other hand, https://tools.ietf.org/html/rfc3986#section-3.2 states clearly that the authority part (which includes the host name, but optionally also user name and password) is terminates by _either_ "/", "?", or "#". So according to RFC 3986 and 2396 (obsoleted by 3986), this is clearly a bug in Lynx despite my gut feeling said otherwise. But according to RFC 1738 (which has been updated but not obsoleted by other RFCs) it's correct, but includes an unsupported respectively explicitly excluded feature. So I conclude that RFC 1738 can't be applied to this issue and RFC 3986 should be the reference. Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
