37 lines
1.4 KiB
Diff
37 lines
1.4 KiB
Diff
--- lynx2-8-6/CHANGES.old 2008-11-06 15:29:26.000000000 +0100
|
|
+++ lynx2-8-6/CHANGES 2008-11-06 15:32:44.000000000 +0100
|
|
@@ -1,5 +1,11 @@
|
|
Changes since Lynx 2.8 release
|
|
===============================================================================
|
|
+2008-10-26
|
|
+* modify patch for CVE-2005-2929 to prompt user before executing command via
|
|
+ a lynxcgi link even in advanced mode, as the actual URL may not be shown but
|
|
+ hidden behind an HTTP redirect
|
|
+* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default
|
|
+ [CVE-2008-4690]
|
|
|
|
2007-05-09 (2.8.6rel.5 fix from 2.8.7dev.5)
|
|
* correct loop-limit in print_crawl_to_fd(), which broke
|
|
--- lynx2-8-6/src/LYCgi.c.old 2008-11-06 15:29:58.000000000 +0100
|
|
+++ lynx2-8-6/src/LYCgi.c 2008-11-06 15:30:53.000000000 +0100
|
|
@@ -165,7 +165,7 @@ static BOOL can_exec_cgi(const char *lin
|
|
if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
|
|
/* exec_ok gives out msg. */
|
|
result = FALSE;
|
|
- } else if (user_mode < ADVANCED_MODE) {
|
|
+ } else {
|
|
StrAllocCopy(command, linktext);
|
|
if (non_empty(linkargs)) {
|
|
HTSprintf(&command, " %s", linkargs);
|
|
--- lynx2-8-5.orig/lynx.cfg 2008-10-26 21:45:02.000000000 +0100
|
|
+++ lynx2-8-5/lynx.cfg 2008-10-26 21:45:38.000000000 +0100
|
|
@@ -997,7 +997,7 @@ CHARACTER_SET:utf-8
|
|
# ====
|
|
# Do not define this.
|
|
#
|
|
-#TRUSTED_LYNXCGI:none
|
|
+TRUSTED_LYNXCGI:none
|
|
|
|
|
|
.h2 LYNXCGI_ENVIRONMENT
|