[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev Security holes.
From: |
dickey |
Subject: |
Re: lynx-dev Security holes. |
Date: |
Tue, 17 Nov 1998 05:06:13 -0500 (EST) |
> The first part is to prevent from attacks/trojans of the type:
> <a href="rlogin://foo;address@hidden">foo</a> where the sysadmin doesn't want
> his
> users to be able to run a shell. Or
> <a href="rlogin://evil|address@hidden">foo</a> where the attacker
> has a rlogind (or a login script) that answer with commands that will be
> executed on the host running lynx.
thanks (will review/integrate).
> The second one are simple fixes for buffer overflows. Of course that's
> probably not the way you will fix them because I have not seen any other
> use of snprintf in the source. (why not implement an own version?)
I just did that (in last night's patch). I do not intend using snprintf,
as I said before, because it is not a good technical solution (it is not
portable, and it can truncate the result).
--
Thomas E. Dickey
address@hidden
http://www.clark.net/pub/dickey