On Wed, 10 Nov 2010, Thorsten Glaser wrote:
This is a more than serious bug (possible disclosure of passwords,
definitive disclosure of privacy), if lynx does this out of the box:
syslog's been there more than ten years (look in CHANGES):
2009-08-28 (2.8.8dev.1)
* change compiled-in default for SYSLOG_REQUESTED_URLS to false (prompted by
Debian #537907) -TD
see also
2004-12-30 (2.8.6dev.9)
* add command-line option (-syslog-urls) and lynx.cfg settings (SYSLOG_TEXT,
SYSLOG_REQUESTED_URLS) to allow syslog'ing of URLs to be optional. This
cannot be set from the options menu (Debian #282739) -TD
1999-09-13 (2.8.3dev.9)
* fix potential security problem with SYSLOG_REQUESTED_URLS, which would let
syslog() send sensitive information as broadcast to any syslog daemon that
care to listen.
E.g. URLs with embedded passwords are sent to syslog:
Sep 11 12:26:06 lynx[16177]: ftp://joe:passw...@host/~joe
The patch masks the password by breaking up the URL and replacing
the password with "******" (Gisle Vanem <[email protected]>).
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
_______________________________________________
Lynx-dev mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/lynx-dev
