blob: da2647b49b53ea7876315d5c49d5df023a6ecdb8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
Index: lynx2-8-6/CHANGES
===================================================================
--- lynx2-8-6.orig/CHANGES
+++ lynx2-8-6/CHANGES
@@ -1,6 +1,13 @@
Changes since Lynx 2.8 release
===============================================================================
+2008-10-26
+* modify patch for CVE-2005-2929 to prompt user before executing command via
+ a lynxcgi link even in advanced mode, as the actual URL may not be shown but
+ hidden behind an HTTP redirect
+* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default
+ [CVE-2008-4690]
+
2006-11-15 (2.8.6rel.4 diverges from 2.8.7dev.4)
* limit files set via PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP to be found
relative to the user's home directory. This change is less flexible than the
Index: lynx2-8-6/lynx.cfg
===================================================================
--- lynx2-8-6.orig/lynx.cfg
+++ lynx2-8-6/lynx.cfg
@@ -1026,7 +1026,7 @@ DEFAULT_INDEX_FILE:http://lynx.isc.org/
# ====
# Do not define this.
#
-#TRUSTED_LYNXCGI:none
+TRUSTED_LYNXCGI:none
.h2 LYNXCGI_ENVIRONMENT
Index: lynx2-8-6/src/LYCgi.c
===================================================================
--- lynx2-8-6.orig/src/LYCgi.c
+++ lynx2-8-6/src/LYCgi.c
@@ -165,7 +165,7 @@ static BOOL can_exec_cgi(const char *lin
if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
/* exec_ok gives out msg. */
result = FALSE;
- } else if (user_mode < ADVANCED_MODE) {
+ } else {
StrAllocCopy(command, linktext);
if (non_empty(linkargs)) {
HTSprintf(&command, " %s", linkargs);
|
GitWeb
