diff options
| author | Thomas E. Dickey <dickey@invisible-island.net> | 2016-11-15 09:36:45 -0500 |
|---|---|---|
| committer | Thomas E. Dickey <dickey@invisible-island.net> | 2016-11-15 09:36:45 -0500 |
| commit | e7b70b64af3b0c7608d63db5dd2743e5d6d7843b (patch) | |
| tree | c374b6977030ae0dabc6ffe8ec2ff5a54265fafa | |
| parent | 237a7f5139b5c46eef09f9fb0ee9205feda37d60 (diff) | |
| download | lynx-snapshots-e7b70b64af3b0c7608d63db5dd2743e5d6d7843b.tar.gz | |
snapshot of project "lynx", label v2-8-9dev_10a
| -rw-r--r-- | CHANGES | 6 | ||||
| -rw-r--r-- | PACKAGE/debian/changelog | 4 | ||||
| -rw-r--r-- | PACKAGE/lynx.nsi | 6 | ||||
| -rw-r--r-- | PACKAGE/lynx.spec | 4 | ||||
| -rw-r--r-- | PACKAGE/version.iss | 2 | ||||
| -rw-r--r-- | WWW/Library/Implementation/HTTCP.c | 13 | ||||
| -rw-r--r-- | WWW/Library/Implementation/HTTP.c | 8 | ||||
| -rw-r--r-- | WWW/Library/Implementation/HTUtils.h | 4 | ||||
| -rwxr-xr-x | configure | 2 | ||||
| -rw-r--r-- | configure.in | 6 | ||||
| -rw-r--r-- | lynx.cfg | 6 | ||||
| -rw-r--r-- | makefile.in | 4 | ||||
| -rw-r--r-- | src/LYIcon.rc | 10 | ||||
| -rw-r--r-- | src/LYUtils.c | 3 | ||||
| -rw-r--r-- | userdefs.h | 6 |
15 files changed, 42 insertions, 42 deletions
diff --git a/CHANGES b/CHANGES index 3d9f1225..4044133a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,8 +1,12 @@ --- $LynxId: CHANGES,v 1.859 2016/11/08 09:38:27 tom Exp $ +-- $LynxId: CHANGES,v 1.861 2016/11/15 09:36:45 tom Exp $ =============================================================================== Changes since Lynx 2.8 release =============================================================================== +2016-11-15 (2.8.9dev.11) +* amend fix for stripping user/password to ensure that the stripped value is + used when connecting to the host (prompted by discussion of CVE-2016-9179) -TD + 2016-11-08 (2.8.9dev.10) * improved fix for OpenSSL 1.1 (Taketo Kabe). * improve warning message when stripping user/password from URL; report on diff --git a/PACKAGE/debian/changelog b/PACKAGE/debian/changelog index 8f510430..0818a58d 100644 --- a/PACKAGE/debian/changelog +++ b/PACKAGE/debian/changelog @@ -1,8 +1,8 @@ -lynx-dev (2.8.9dev.10) unstable; urgency=low +lynx-dev (2.8.9dev.11) unstable; urgency=low * maintenance updates - -- Thomas E. Dickey <dickey@invisible-island.net> Sat, 10 Sep 2016 07:22:22 -0400 + -- Thomas E. Dickey <dickey@invisible-island.net> Tue, 15 Nov 2016 04:04:25 -0500 lynx-dev (2.8.8dev.16) unstable; urgency=high diff --git a/PACKAGE/lynx.nsi b/PACKAGE/lynx.nsi index 131dfe3c..192f7d16 100644 --- a/PACKAGE/lynx.nsi +++ b/PACKAGE/lynx.nsi @@ -1,4 +1,4 @@ -; $LynxId: lynx.nsi,v 1.30 2016/09/10 11:22:22 tom Exp $ +; $LynxId: lynx.nsi,v 1.31 2016/11/15 09:04:25 tom Exp $ ; Script originally generated with the Venis Install Wizard, but customized. ; The Inno Setup script is preferred; but this can be built via cross-compiling. @@ -9,8 +9,8 @@ !define VERSION_EPOCH "2" !define VERSION_MAJOR "8" !define VERSION_MINOR "9" -!define VERSION_LEVEL "1010" -!define VERSION_PATCH "dev.10" +!define VERSION_LEVEL "1011" +!define VERSION_PATCH "dev.11" !define SUBKEY "Lynx" diff --git a/PACKAGE/lynx.spec b/PACKAGE/lynx.spec index 942e621c..a93c497f 100644 --- a/PACKAGE/lynx.spec +++ b/PACKAGE/lynx.spec @@ -1,8 +1,8 @@ -# $LynxId: lynx.spec,v 1.37 2016/09/10 11:22:22 tom Exp $ +# $LynxId: lynx.spec,v 1.38 2016/11/15 09:04:25 tom Exp $ Summary: A text-based Web browser Name: lynx Version: 2.8.9 -Release: dev.10 +Release: dev.11 License: GPLv2 Group: Applications/Internet Source: lynx%{version}%{release}.tgz diff --git a/PACKAGE/version.iss b/PACKAGE/version.iss index 7afb9512..281ab3cd 100644 --- a/PACKAGE/version.iss +++ b/PACKAGE/version.iss @@ -1,7 +1,7 @@ ; version used for Inno Setup files. ; $Format: "#define LYNX_VERSION \"$ProjectVersion$\""$ -#define LYNX_VERSION "2.8.9dev.10" +#define LYNX_VERSION "2.8.9dev.11" ; most-recent full release and target #define LYNX_RELEASE "2.8.9" diff --git a/WWW/Library/Implementation/HTTCP.c b/WWW/Library/Implementation/HTTCP.c index ff1cf9aa..54491956 100644 --- a/WWW/Library/Implementation/HTTCP.c +++ b/WWW/Library/Implementation/HTTCP.c @@ -1,5 +1,5 @@ /* - * $LynxId: HTTCP.c,v 1.134 2014/12/03 01:00:40 tom Exp $ + * $LynxId: HTTCP.c,v 1.135 2016/11/15 09:31:58 tom Exp $ * * Generic Communication Code HTTCP.c * ========================== @@ -1804,7 +1804,6 @@ int HTDoConnect(const char *url, int status = 0; char *line = NULL; char *p1 = NULL; - char *at_sign = NULL; char *host = NULL; #ifdef INET6 @@ -1826,14 +1825,8 @@ int HTDoConnect(const char *url, * Get node name and optional port number. */ p1 = HTParse(url, "", PARSE_HOST); - if ((at_sign = StrChr(p1, '@')) != NULL) { - /* - * If there's an @ then use the stuff after it as a hostname. - */ - StrAllocCopy(host, (at_sign + 1)); - } else { - StrAllocCopy(host, p1); - } + StrAllocCopy(host, p1); + strip_userid(host, FALSE); FREE(p1); HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host); diff --git a/WWW/Library/Implementation/HTTP.c b/WWW/Library/Implementation/HTTP.c index a5be9264..08ed0c08 100644 --- a/WWW/Library/Implementation/HTTP.c +++ b/WWW/Library/Implementation/HTTP.c @@ -1,5 +1,5 @@ /* - * $LynxId: HTTP.c,v 1.159 2016/11/08 09:38:27 tom Exp $ + * $LynxId: HTTP.c,v 1.160 2016/11/15 09:31:41 tom Exp $ * * HyperText Tranfer Protocol - Client implementation HTTP.c * ========================== @@ -582,7 +582,7 @@ static char *fake_hostname(char *auth) /* * Strip any username from the given string so we retain only the host. */ -static void strip_userid(char *host) +void strip_userid(char *host, int parse_only) { char *p1 = host; char *p2 = skip_user_passwd(host); @@ -633,7 +633,7 @@ static void strip_userid(char *host) gettext("User/password may be confused with hostname: '%s' (e.g, '%s')"), auth, fake); } - if (msg != 0) + if (msg != 0 && !parse_only) HTAlert(msg); if (do_trimming) { while ((*p1++ = *p2++) != '\0') { @@ -1312,7 +1312,7 @@ static int HTLoadHTTP(const char *arg, char *host = NULL; if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) { - strip_userid(host); + strip_userid(host, TRUE); HTBprintf(&command, "Host: %s%c%c", host, CR, LF); FREE(host); } diff --git a/WWW/Library/Implementation/HTUtils.h b/WWW/Library/Implementation/HTUtils.h index d0757e55..5c221ccb 100644 --- a/WWW/Library/Implementation/HTUtils.h +++ b/WWW/Library/Implementation/HTUtils.h @@ -1,5 +1,5 @@ /* - * $LynxId: HTUtils.h,v 1.120 2014/01/19 15:18:01 tom Exp $ + * $LynxId: HTUtils.h,v 1.121 2016/11/15 09:26:37 tom Exp $ * * Utility macros for the W3 code library * MACROS FOR GENERAL USE @@ -801,6 +801,8 @@ extern "C" { extern FILE *TraceFP(void); + extern void strip_userid(char *host, int warn); + #ifdef USE_SSL extern SSL *HTGetSSLHandle(void); extern void HTSSLInitPRNG(void); diff --git a/configure b/configure index 52fed60a..d8468ba9 100755 --- a/configure +++ b/configure @@ -1274,7 +1274,7 @@ rm conftest.sed PACKAGE=lynx # $Format: "VERSION=$ProjectVersion$"$ -VERSION=2.8.9dev.10 +VERSION=2.8.9dev.11 echo "$as_me:1279: checking for DESTDIR" >&5 echo $ECHO_N "checking for DESTDIR... $ECHO_C" >&6 diff --git a/configure.in b/configure.in index 3993342a..610fa14d 100644 --- a/configure.in +++ b/configure.in @@ -1,4 +1,4 @@ -dnl $LynxId: configure.in,v 1.283 2016/09/10 11:22:22 tom Exp $ +dnl $LynxId: configure.in,v 1.284 2016/11/15 09:04:25 tom Exp $ dnl dnl Process this file with autoconf to produce a configure script. dnl @@ -29,7 +29,7 @@ dnl --------------------------------------------------------------------------- dnl dnl ask PRCS to plug-in the project-version for the configure-script. dnl $Format: "AC_REVISION($ProjectVersion$)"$ -AC_REVISION(2.8.9dev.10) +AC_REVISION(2.8.9dev.11) # Save the original $CFLAGS so we can distinguish whether the user set those # in the environment, or whether autoconf added -O and -g options: @@ -64,7 +64,7 @@ AC_ARG_PROGRAM PACKAGE=lynx dnl ask PRCS to plug-in the project-version for the packages. # $Format: "VERSION=$ProjectVersion$"$ -VERSION=2.8.9dev.10 +VERSION=2.8.9dev.11 AC_SUBST(PACKAGE) AC_SUBST(VERSION) diff --git a/lynx.cfg b/lynx.cfg index d0baa4d9..e5cfc4f0 100644 --- a/lynx.cfg +++ b/lynx.cfg @@ -1,13 +1,13 @@ -# $LynxId: lynx.cfg,v 1.273 2016/09/10 11:22:22 tom Exp $ +# $LynxId: lynx.cfg,v 1.274 2016/11/15 09:04:25 tom Exp $ # lynx.cfg file. # The default placement for this file is /usr/local/lib/lynx.cfg (Unix) # or Lynx_Dir:lynx.cfg (VMS) # # $Format: "#PRCS LYNX_VERSION \"$ProjectVersion$\""$ -#PRCS LYNX_VERSION "2.8.9dev.10" +#PRCS LYNX_VERSION "2.8.9dev.11" # # $Format: "#PRCS LYNX_DATE \"$ProjectDate$\""$ -#PRCS LYNX_DATE "Sat, 10 Sep 2016 07:22:22 -0400" +#PRCS LYNX_DATE "Tue, 15 Nov 2016 04:04:25 -0500" # # Definition pairs are of the form VARIABLE:DEFINITION # NO spaces are allowed between the pair items. diff --git a/makefile.in b/makefile.in index c664411f..c434b627 100644 --- a/makefile.in +++ b/makefile.in @@ -1,4 +1,4 @@ -# $LynxId: makefile.in,v 1.157 2016/09/10 11:22:22 tom Exp $ +# $LynxId: makefile.in,v 1.158 2016/11/15 09:04:25 tom Exp $ ##makefile for lynx SHELL = @CONFIG_SHELL@ @@ -46,7 +46,7 @@ TAR_UP = $(TAR) @TAR_UP_OPTIONS@ @TAR_PIPE_OPTIONS@ TAR_DOWN = $(TAR) @TAR_DOWN_OPTIONS@ @TAR_PIPE_OPTIONS@ # $Format: "LYNX_VERSION = $ProjectVersion$"$ -LYNX_VERSION = 2.8.9dev.10 +LYNX_VERSION = 2.8.9dev.11 ## This is the version which we are developing (or, upon release, make this ## the same). Use no dots in the name, since it must work on VMS and MS-DOS. diff --git a/src/LYIcon.rc b/src/LYIcon.rc index 1aaf0831..2752f8f6 100644 --- a/src/LYIcon.rc +++ b/src/LYIcon.rc @@ -1,12 +1,12 @@ -// $LynxId: LYIcon.rc,v 1.24 2016/09/10 11:22:22 tom Exp $ +// $LynxId: LYIcon.rc,v 1.25 2016/11/15 09:04:25 tom Exp $ #include <windows.h> 100 ICON "../samples/lynx.ico" VS_VERSION_INFO VERSIONINFO -FILEVERSION 2,8,9,1010 -PRODUCTVERSION 2,8,9,1010 +FILEVERSION 2,8,9,1011 +PRODUCTVERSION 2,8,9,1011 FILEFLAGSMASK VS_FFI_FILEFLAGSMASK FILEFLAGS 0 FILEOS VOS_NT_WINDOWS32 @@ -19,12 +19,12 @@ BEGIN BEGIN VALUE "CompanyName", "http://invisible-island.net/lynx" VALUE "FileDescription", "Lynx - web browser" - VALUE "FileVersion", "2.8.9.1010" + VALUE "FileVersion", "2.8.9.1011" VALUE "InternalName", "Lynx" VALUE "LegalCopyright", "©1997-2016 Thomas E. Dickey" VALUE "OriginalFilename", "lynx.exe" VALUE "ProductName", "Lynx - web browser" - VALUE "ProductVersion", "2.8.9.1010" + VALUE "ProductVersion", "2.8.9.1011" END END BLOCK "VarFileInfo" diff --git a/src/LYUtils.c b/src/LYUtils.c index 4772fa47..b47779e9 100644 --- a/src/LYUtils.c +++ b/src/LYUtils.c @@ -1,5 +1,5 @@ /* - * $LynxId: LYUtils.c,v 1.274 2015/03/22 15:38:23 tom Exp $ + * $LynxId: LYUtils.c,v 1.275 2016/11/15 09:34:30 tom Exp $ */ #include <HTUtils.h> #include <HTTCP.h> @@ -4689,6 +4689,7 @@ BOOLEAN LYExpandHostForURL(char **AllocatedString, * Do a DNS test on the potential host field as presently trimmed. - FM */ StrAllocCopy(host, Str); + strip_userid(host, FALSE); HTUnEscape(host); if (LYCursesON) { StrAllocCopy(MsgStr, WWW_FIND_MESSAGE); diff --git a/userdefs.h b/userdefs.h index 55266381..edec5b8d 100644 --- a/userdefs.h +++ b/userdefs.h @@ -1,5 +1,5 @@ /* - * $LynxId: userdefs.h,v 1.320 2016/09/10 11:22:22 tom Exp $ + * $LynxId: userdefs.h,v 1.321 2016/11/15 09:04:25 tom Exp $ * * Lynx - Hypertext navigation system * @@ -1442,11 +1442,11 @@ * the version definition with the Project Version on checkout. Just * ignore it. - kw */ /* $Format: "#define LYNX_VERSION \"$ProjectVersion$\""$ */ -#define LYNX_VERSION "2.8.9dev.10" +#define LYNX_VERSION "2.8.9dev.11" #define LYNX_WWW_HOME "http://lynx.invisible-island.net/" #define LYNX_WWW_DIST "http://lynx.invisible-island.net/current/" /* $Format: "#define LYNX_DATE \"$ProjectDate$\""$ */ -#define LYNX_DATE "Sat, 10 Sep 2016 07:22:22 -0400" +#define LYNX_DATE "Tue, 15 Nov 2016 04:04:25 -0500" #define LYNX_DATE_OFF 5 /* truncate the automatically-generated date */ #define LYNX_DATE_LEN 11 /* truncate the automatically-generated date */ |