diff options
| -rw-r--r-- | CHANGES | 4 | ||||
| -rw-r--r-- | WWW/Library/Implementation/HTTP.c | 28 |
2 files changed, 21 insertions, 11 deletions
diff --git a/CHANGES b/CHANGES index 3146bd34..3d9f1225 100644 --- a/CHANGES +++ b/CHANGES @@ -1,9 +1,9 @@ --- $LynxId: CHANGES,v 1.858 2016/11/05 12:56:41 tom Exp $ +-- $LynxId: CHANGES,v 1.859 2016/11/08 09:38:27 tom Exp $ =============================================================================== Changes since Lynx 2.8 release =============================================================================== -2016-11-05 (2.8.9dev.10) +2016-11-08 (2.8.9dev.10) * improved fix for OpenSSL 1.1 (Taketo Kabe). * improve warning message when stripping user/password from URL; report on http://seclists.org/oss-sec/2016/q4/322 treated as a Lynx parsing error the diff --git a/WWW/Library/Implementation/HTTP.c b/WWW/Library/Implementation/HTTP.c index b5d60ef3..a5be9264 100644 --- a/WWW/Library/Implementation/HTTP.c +++ b/WWW/Library/Implementation/HTTP.c @@ -1,5 +1,5 @@ /* - * $LynxId: HTTP.c,v 1.158 2016/11/05 16:18:13 tom Exp $ + * $LynxId: HTTP.c,v 1.159 2016/11/08 09:38:27 tom Exp $ * * HyperText Tranfer Protocol - Client implementation HTTP.c * ========================== @@ -566,6 +566,19 @@ static char *skip_user_passwd(char *host) return result; } +static char *fake_hostname(char *auth) +{ + char *result = NULL; + char *colon = NULL; + + StrAllocCopy(result, auth); + if ((colon = strchr(result, ':')) != 0) + *colon = '\0'; + if (strchr(result, '.') == 0) + FREE(result); + return result; +} + /* * Strip any username from the given string so we retain only the host. */ @@ -573,12 +586,12 @@ static void strip_userid(char *host) { char *p1 = host; char *p2 = skip_user_passwd(host); - char *fake; if (p2 != 0) { char *msg = NULL; char *auth = NULL; char *save = NULL; + char *fake = NULL; char *p3 = p2; int gen_delims = 0; int sub_delims = 0; @@ -606,23 +619,19 @@ static void strip_userid(char *host) CTRACE((tfp, "trimmed:%s\n", host)); StrAllocCopy(save, host); - if (gen_delims) { + if (gen_delims || strcmp(save, auth)) { HTSprintf0(&msg, gettext("User/password may appear to be a hostname: '%s' (e.g, '%s')"), auth, save); - do_trimming = 0; + do_trimming = !gen_delims; } else if (*host == '\0' && sub_delims) { HTSprintf0(&msg, gettext("User/password contains only punctuation: %s"), auth); - } else if ((fake = HTParse(host, "", PARSE_HOST)) != NULL && *fake) { + } else if ((fake = fake_hostname(host)) != NULL) { HTSprintf0(&msg, gettext("User/password may be confused with hostname: '%s' (e.g, '%s')"), auth, fake); - } else if (strcmp(save, auth)) { - HTSprintf0(&msg, - gettext("User/password may appear to be a hostname: '%s' (e.g, '%s')"), - auth, save); } if (msg != 0) HTAlert(msg); @@ -631,6 +640,7 @@ static void strip_userid(char *host) ; } } + FREE(fake); FREE(save); FREE(auth); FREE(msg); |