[packages/lynx.git] / lynx-CVE-2005-2929.patch

--- lynx2-8-5/src/LYCgi.c.cve-2005-2929	2004-02-02 13:02:28.000000000 -0700
+++ lynx2-8-5/src/LYCgi.c	2005-11-12 09:57:35.832520625 -0700
@@ -140,6 +140,40 @@
     }
 }
 
+#ifdef LYNXCGI_LINKS
+/*
+ * Wrapper for exec_ok(), confirming with user if the link text is not visible
+ * in the status line.
+ */
+static BOOL can_exec_cgi(const char *linktext, const char *linkargs)
+{
+    const char *format = gettext("Do you want to execute \"%s\"?");
+    char *message = NULL;
+    char *command = NULL;
+    char *p;
+    BOOL result = TRUE;
+
+    if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
+	/* exec_ok gives out msg. */
+	result = FALSE;
+    } else if (user_mode < ADVANCED_MODE) {
+	StrAllocCopy(command, linktext);
+	if (non_empty(linkargs)) {
+	    HTSprintf(&command, " %s", linkargs);
+	}
+	HTUnEscape(command);
+	for (p = command; *p; ++p)
+	    if (*p == '+')
+		*p = ' ';
+	HTSprintf0(&message, format, command);
+	result = HTConfirm(message);
+	FREE(message);
+	FREE(command);
+    }
+    return result;
+}
+#endif /* LYNXCGI_LINKS */
+
 #ifdef __MINGW32__
 PRIVATE int LYLoadCGI ARGS4(
 	CONST char *, 		arg,
@@ -281,8 +315,7 @@
 	       strcmp(arg, HTLoadedDocumentURL()) &&
 	       HText_AreDifferent(anAnchor, arg) &&
 	       HTUnEscape(orig_pgm) &&
-	       !exec_ok(HTLoadedDocumentURL(), orig_pgm,
-			CGI_PATH)) { /* exec_ok gives out msg. */
+	       !can_exec_cgi(orig_pgm, "")) {
 	/*
 	 *  If we have extra path info and are not just reloading
 	 *  the current, check the full file path (after unescaping)
@@ -313,8 +346,7 @@
 	       !(reloading && anAnchor->document) &&
 	       strcmp(arg, HTLoadedDocumentURL()) &&
 	       HText_AreDifferent(anAnchor, arg) &&
-	       !exec_ok(HTLoadedDocumentURL(), pgm,
-			CGI_PATH)) { /* exec_ok gives out msg. */
+	       !can_exec_cgi(pgm, pgm_args)) {
 	/*
 	 *  If we are reloading a lynxcgi document that had already been
 	 *  loaded, the various checks above should allow it even if
--- lynx2-8-5/src/LYGetFile.c.CVE-2005-2929	2003-06-02 02:16:28.000000000 +0100
+++ lynx2-8-5/src/LYGetFile.c	2005-11-11 18:03:27.000000000 +0000
@@ -1478,6 +1478,8 @@
 	    if (strstr(command,"//") == linktext) {
 		command += 2;
 	    }
+	    CTRACE((tfp, "comparing source\n\t'%s'\n\t'%s'\n", source, tp->src));
+	    CTRACE((tfp, "comparing command\n\t'%s'\n\t'%s'\n", command, tp->path));
 	    if (STRNADDRCOMP(source, tp->src, strlen(tp->src)) == 0 &&
 		STRNADDRCOMP(command, tp->path, strlen(tp->path)) == 0)
 		return TRUE;
--- lynx2-8-5/CHANGES.CVE-2005-2929	2005-11-11 18:02:29.000000000 +0000
+++ lynx2-8-5/CHANGES	2005-11-11 18:08:10.000000000 +0000
@@ -3,6 +3,13 @@
 * eliminate fixed-size buffers in HTrjis() and related functions to avoid
   potential buffer overflow in nntp pages (report by Ulf Harnhammar) -TD
 
+2005-10-30 (2.8.6dev.15)
+* modify LYLoadCGI() to prompt user, displaying the command that would be
+  executed, to confirm that it should be.  This makes it easier to notice when
+  a local program would be run by activating a lynxcgi link.  This is not done
+  in advanced mode, since the URL is already visible in the status line (report
+  by vade79, comments by Greg MacManus) -TD
+
 2003-06-01 (2.8.5dev.16)
 + add zh_CN.po from
   http://www.iro.umontreal.ca/contrib/po/maint/lynx/
Commit	Line	Data
e1178872 ER	1	--- lynx2-8-5/src/LYCgi.c.cve-2005-2929 2004-02-02 13:02:28.000000000 -0700
	2	+++ lynx2-8-5/src/LYCgi.c 2005-11-12 09:57:35.832520625 -0700
	3	@@ -140,6 +140,40 @@
	4	}
	5	}
	6
	7	+#ifdef LYNXCGI_LINKS
	8	+/*
	9	+ * Wrapper for exec_ok(), confirming with user if the link text is not visible
	10	+ * in the status line.
	11	+ */
	12	+static BOOL can_exec_cgi(const char linktext, const char linkargs)
	13	+{
	14	+ const char *format = gettext("Do you want to execute \"%s\"?");
	15	+ char *message = NULL;
	16	+ char *command = NULL;
	17	+ char *p;
	18	+ BOOL result = TRUE;
	19	+
	20	+ if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
	21	+ /* exec_ok gives out msg. */
	22	+ result = FALSE;
	23	+ } else if (user_mode < ADVANCED_MODE) {
	24	+ StrAllocCopy(command, linktext);
	25	+ if (non_empty(linkargs)) {
	26	+ HTSprintf(&command, " %s", linkargs);
	27	+ }
	28	+ HTUnEscape(command);
	29	+ for (p = command; *p; ++p)
	30	+ if (*p == '+')
	31	+ *p = ' ';
	32	+ HTSprintf0(&message, format, command);
	33	+ result = HTConfirm(message);
	34	+ FREE(message);
	35	+ FREE(command);
	36	+ }
	37	+ return result;
	38	+}
	39	+#endif /* LYNXCGI_LINKS */
	40	+
	41	#ifdef __MINGW32__
	42	PRIVATE int LYLoadCGI ARGS4(
	43	CONST char *, arg,
	44	@@ -281,8 +315,7 @@
	45	strcmp(arg, HTLoadedDocumentURL()) &&
	46	HText_AreDifferent(anAnchor, arg) &&
	47	HTUnEscape(orig_pgm) &&
	48	- !exec_ok(HTLoadedDocumentURL(), orig_pgm,
	49	- CGI_PATH)) { /* exec_ok gives out msg. */
	50	+ !can_exec_cgi(orig_pgm, "")) {
	51	/*
	52	* If we have extra path info and are not just reloading
	53	* the current, check the full file path (after unescaping)
	54	@@ -313,8 +346,7 @@
	55	!(reloading && anAnchor->document) &&
	56	strcmp(arg, HTLoadedDocumentURL()) &&
	57	HText_AreDifferent(anAnchor, arg) &&
	58	- !exec_ok(HTLoadedDocumentURL(), pgm,
	59	- CGI_PATH)) { /* exec_ok gives out msg. */
	60	+ !can_exec_cgi(pgm, pgm_args)) {
	61	/*
	62	* If we are reloading a lynxcgi document that had already been
	63	* loaded, the various checks above should allow it even if
	64	--- lynx2-8-5/src/LYGetFile.c.CVE-2005-2929 2003-06-02 02:16:28.000000000 +0100
65	+++ lynx2-8-5/src/LYGetFile.c 2005-11-11 18:03:27.000000000 +0000
66	@@ -1478,6 +1478,8 @@
67	if (strstr(command,"//") == linktext) {
68	command += 2;
69	}
70	+ CTRACE((tfp, "comparing source\n\t'%s'\n\t'%s'\n", source, tp->src));
71	+ CTRACE((tfp, "comparing command\n\t'%s'\n\t'%s'\n", command, tp->path));
72	if (STRNADDRCOMP(source, tp->src, strlen(tp->src)) == 0 &&
73	STRNADDRCOMP(command, tp->path, strlen(tp->path)) == 0)
74	return TRUE;
75	--- lynx2-8-5/CHANGES.CVE-2005-2929 2005-11-11 18:02:29.000000000 +0000
76	+++ lynx2-8-5/CHANGES 2005-11-11 18:08:10.000000000 +0000
77	@@ -3,6 +3,13 @@
78	* eliminate fixed-size buffers in HTrjis() and related functions to avoid
79	potential buffer overflow in nntp pages (report by Ulf Harnhammar) -TD
80
81	+2005-10-30 (2.8.6dev.15)
82	+* modify LYLoadCGI() to prompt user, displaying the command that would be
83	+ executed, to confirm that it should be. This makes it easier to notice when
84	+ a local program would be run by activating a lynxcgi link. This is not done
85	+ in advanced mode, since the URL is already visible in the status line (report
86	+ by vade79, comments by Greg MacManus) -TD
87	+
88	2003-06-01 (2.8.5dev.16)
89	+ add zh_CN.po from
90	http://www.iro.umontreal.ca/contrib/po/maint/lynx/