From c60c227ab9a36246730d7454e33d40d2c66c88b3 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 13 Feb 2013 15:26:22 +0100 Subject: [PATCH] fix CVE-2008-4690 prompt user before executing command via a lynxcgi link even in advanced mode, as the actual URL may not be shown but hidden behind an HTTP redirect and set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default --- CHANGES | 7 +++++++ lynx.cfg | 2 +- src/LYCgi.c | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 360be68..8eca013 100644 --- a/CHANGES +++ b/CHANGES @@ -721,6 +721,13 @@ Changes since Lynx 2.8 release * update win32 makefiles/build scripts to add LYmktime, parsdate modules -TD * update config.guess (2008-04-14), config.sub (2008-06-16) +2008-10-26 +* modify patch for CVE-2005-2929 to prompt user before executing command via + a lynxcgi link even in advanced mode, as the actual URL may not be shown but + hidden behind an HTTP redirect +* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default + [CVE-2008-4690] + 2008-09-21 (2.8.7dev.10) * remove rw.po, since the translation project no longer supplies it -TD * implement "readonly" attribute for TEXTAREA and TEXT fields -TD diff --git a/lynx.cfg b/lynx.cfg index ee2aad3..144050d 100644 --- a/lynx.cfg +++ b/lynx.cfg @@ -1061,7 +1061,7 @@ DEFAULT_INDEX_FILE:http://scout.wisc.edu/ # # The default TRUSTED_LYNXCGI rule is "none". # -#TRUSTED_LYNXCGI:none +TRUSTED_LYNXCGI:none .h2 LYNXCGI_ENVIRONMENT # Unix: diff --git a/src/LYCgi.c b/src/LYCgi.c index 832bb89..0ae8a7e 100644 --- a/src/LYCgi.c +++ b/src/LYCgi.c @@ -164,7 +164,7 @@ static BOOL can_exec_cgi(const char *linktext, const char *linkargs) if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) { /* exec_ok gives out msg. */ result = FALSE; - } else { + } else if (user_mode < ADVANCED_MODE) { StrAllocCopy(command, linktext); if (non_empty(linkargs)) { HTSprintf(&command, " %s", linkargs); -- 1.7.1