1 --- lynx2-8-5/src/LYCgi.c.cve-2005-2929 2004-02-02 13:02:28.000000000 -0700
2 +++ lynx2-8-5/src/LYCgi.c 2005-11-12 09:57:35.832520625 -0700
9 + * Wrapper for exec_ok(), confirming with user if the link text is not visible
10 + * in the status line.
12 +static BOOL can_exec_cgi(const char *linktext, const char *linkargs)
14 + const char *format = gettext("Do you want to execute \"%s\"?");
15 + char *message = NULL;
16 + char *command = NULL;
20 + if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
21 + /* exec_ok gives out msg. */
23 + } else if (user_mode < ADVANCED_MODE) {
24 + StrAllocCopy(command, linktext);
25 + if (non_empty(linkargs)) {
26 + HTSprintf(&command, " %s", linkargs);
28 + HTUnEscape(command);
29 + for (p = command; *p; ++p)
32 + HTSprintf0(&message, format, command);
33 + result = HTConfirm(message);
39 +#endif /* LYNXCGI_LINKS */
42 PRIVATE int LYLoadCGI ARGS4(
45 strcmp(arg, HTLoadedDocumentURL()) &&
46 HText_AreDifferent(anAnchor, arg) &&
47 HTUnEscape(orig_pgm) &&
48 - !exec_ok(HTLoadedDocumentURL(), orig_pgm,
49 - CGI_PATH)) { /* exec_ok gives out msg. */
50 + !can_exec_cgi(orig_pgm, "")) {
52 * If we have extra path info and are not just reloading
53 * the current, check the full file path (after unescaping)
55 !(reloading && anAnchor->document) &&
56 strcmp(arg, HTLoadedDocumentURL()) &&
57 HText_AreDifferent(anAnchor, arg) &&
58 - !exec_ok(HTLoadedDocumentURL(), pgm,
59 - CGI_PATH)) { /* exec_ok gives out msg. */
60 + !can_exec_cgi(pgm, pgm_args)) {
62 * If we are reloading a lynxcgi document that had already been
63 * loaded, the various checks above should allow it even if
64 --- lynx2-8-5/src/LYGetFile.c.CVE-2005-2929 2003-06-02 02:16:28.000000000 +0100
65 +++ lynx2-8-5/src/LYGetFile.c 2005-11-11 18:03:27.000000000 +0000
67 if (strstr(command,"//") == linktext) {
70 + CTRACE((tfp, "comparing source\n\t'%s'\n\t'%s'\n", source, tp->src));
71 + CTRACE((tfp, "comparing command\n\t'%s'\n\t'%s'\n", command, tp->path));
72 if (STRNADDRCOMP(source, tp->src, strlen(tp->src)) == 0 &&
73 STRNADDRCOMP(command, tp->path, strlen(tp->path)) == 0)
75 --- lynx2-8-5/CHANGES.CVE-2005-2929 2005-11-11 18:02:29.000000000 +0000
76 +++ lynx2-8-5/CHANGES 2005-11-11 18:08:10.000000000 +0000
78 * eliminate fixed-size buffers in HTrjis() and related functions to avoid
79 potential buffer overflow in nntp pages (report by Ulf Harnhammar) -TD
81 +2005-10-30 (2.8.6dev.15)
82 +* modify LYLoadCGI() to prompt user, displaying the command that would be
83 + executed, to confirm that it should be. This makes it easier to notice when
84 + a local program would be run by activating a lynxcgi link. This is not done
85 + in advanced mode, since the URL is already visible in the status line (report
86 + by vade79, comments by Greg MacManus) -TD
88 2003-06-01 (2.8.5dev.16)
90 http://www.iro.umontreal.ca/contrib/po/maint/lynx/