On Thu, Nov 03, 2016 at 05:58:14PM +0800, redrain root wrote: > I can't find any bugtracker in lynx ,so i will disclose by this mail and > sent to the author [email protected]. > > redrain ([email protected]) > Date:2016-11-03 > Version: 2.8.8pre.4、2.8.9dev.8 and earlier > Platform: Linux and Windows > Vendor: http://lynx.browser.org/ > Vendor Notified: 2016-11-03 > > > VULNERABILITY > ------------------------- > > Lynx doesn't parse the authority component of the URL correctly when the > host > name part ends with '?', and could instead be tricked into
Actually, it does parse correctly. Go read RFC 1738. What can be improved here is adding some warnings about a few of the cases where users can be confused by legal URL syntax. I'm working on that. -- Thomas E. Dickey <[email protected]> http://invisible-island.net ftp://invisible-island.net
signature.asc
Description: Digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
