Hi, That looks like it will do it.
The original vulnerability discoverer wishes to be credited as 'vade79', so he should probably be credited instead of me. -- greg -----Original Message----- From: Thomas Dickey [mailto:[EMAIL PROTECTED] Sent: Friday, October 28, 2005 8:35 PM To: Greg MacManus Cc: vendor-disclosure; [email protected] Subject: Re: [Lynx-dev] RE: FW: iDEFENSE Security Advisory [IDEF1089] Multiple Vendor Lynx Command Injection Vulnerability On Fri, 28 Oct 2005, Thomas Dickey wrote: > On Fri, 28 Oct 2005, Greg MacManus wrote: >> I'm not sure what an appropriate fix would be, but potentially a warning >> dialog to the user they are about to execute a local program might be >> appropriate. Another change I could think of would be to default to >> allow nothing to be executed, instead of default to allow all. If the >> user wants to execute something, they must add it. > > That's probably suitable for novice mode (the default), or intermediate. For > advanced mode lynx shows the url in the status line, so a message would be > redundant. I put a patch against dev.14 which does this. The src/LYCgi.c change is all that's needed. See ftp://invisible-island.net/temp/lynx2.8.6dev.14b.patch.gz -- Thomas E. Dickey http://invisible-island.net ftp://invisible-island.net _______________________________________________ Lynx-dev mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/lynx-dev
