Sat 2002.02.16 13:01 +0000, in message
<[EMAIL PROTECTED]>, RobertM <[EMAIL PROTECTED]> wrote,
> It is alleged that Eduardo P�rez once typed:
[...]
> > What's more important, no program should send private information
> > without the user knowledge.
>
> Lynx doesn't send private information without the users knowledge,
> assuming that the user reads the documentation:
>
> For anonymous ftp, Lynx uses your personal_mail_address (user@host) as
> the password if it has been defined via the 'o'ptions menu. Otherwise,
> Lynx uses the dummy password WWWUser.
>
> Quoted from: lynx/lynx_help/lynx_url_support.html#ftp
>
> So no problem on that front.
The code appears to be at odds with the quoted documentation.
I append the relevant portion of HTFPT.c from the 2.8.4 release. (At a
quick glance, this portion looks unchanged from the 2.8.3 release.) The
password for anonymous FTP is constructed thusly (omitting a couple
details):
1. If personal_mail_address (read from .lynxrc) is non-null, use it.
2. Otherwise, look in the user's environment for USER. If $USER is
non-null, use the concatenation of $USER, '@', and the string returned
by HTHostName().
3. Otherwise (only when *both* personal_mail_address and $USER are null),
use the concatenation of "WWWUser@" and the string returned by
HTHostName().
The documentation neglects to mention what I have labeled step 2. On
Unix/Linux, as long as HTHostName() (defined in HTTCP.c) returns the right
thing, this step almost certainly will produce a valid e-address, even
though the user never entered one into .lynxrc (using the o'ptions menu, or
otherwise).
Sr P�rez's claim in this regard seems justified.
Those who wish to address this issue for their own use immediately, before
recompiling with Sr P�rez's previously proposed change or while awaiting
whatever change may arise from this thread, might consider entering
"WWWUser@" as the value for personal_mail_address in .lynxrc (most easily
done using the o'ptions menu within Lynx). This will avert Lynx's possibly
successful effort to generate an e-address with USER and approximate the
behavior claimed by the documentation. The obviously ill-formed e-address
"WWWUser@" will be submitted by Lynx as the password for anonymous FTPs.
(FTP servers are, of course, at liberty to reject it.)
Note that if just "WWWUser" is entered for personal_mail_address, Lynx will
concatenate that string with '@' and (probably) the string returned by
HTHostName() (one of the details omitted in the above synopsis), resulting
in a (probably) targetless e-address that isn't obviously invalid. To me,
this seems marginally less desirable, if only because it makes it slightly
more likely that e-mail will arrive at the local system addressed to
WWWUser@<hostname>. (Which, to be sure, might also happen in the case
above, if the FTP server's system puts the "WWWUser@" together with the
hostname it also logged.)
--
David Mosher <[EMAIL PROTECTED]>
======================================================================
lynx2-8-4/WWW/Library/Implementation/HTFTP.c
2001.06.03 12:58; 100578 bytes; CRC-32 = 935a4ab0; line 855
----------------------------------------------------------------------
/*
* Create and send a mail address as the password. - FM
*/
char *user = NULL;
CONST char *host = NULL;
char * cp;
if (personal_mail_address && *personal_mail_address) {
/*
* We have a non-zero length personal
* mail address, so use that. - FM
*/
StrAllocCopy(user, personal_mail_address);
if ((cp=strchr(user, '@')) != NULL) {
*cp++ = '\0';
host = cp;
} else {
host = HTHostName();
}
} else {
/*
* Use an environment variable and the host global. - FM
*/
if ((cp=getenv("USER")) != NULL)
StrAllocCopy(user, cp);
else
StrAllocCopy(user, "WWWuser");
host = HTHostName();
}
/*
* If host is not fully qualified, suppress it
* as ftp.uu.net prefers a blank to a bad name
*/
if (!(host) || strchr(host, '.') == NULL)
host = "";
HTSprintf0(&command, "PASS %s@%s%c%c", user, host, CR, LF);
FREE(user);
======================================================================
; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to [EMAIL PROTECTED]
