wok view lynx/stuff/lynx-2.8.9rel.1-security_fix-1.patch @ rev 24891
lynx: use ncursesw (tanks ceel)
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Thu Apr 07 07:20:18 2022 +0000 (2022-04-07) |
| parents | |
| children |
line source
1 Submitted By: Douglas R. Reno <renodr at linuxfromscratch dot org>
2 Date: 2021-12-18
3 Initial Package Version: 2.8.9rel.1
4 Upstream Status: Applied
5 Origin: Arch Linux (https://github.com/archlinux/svntogit-packages/blob/packages/lynx/trunk/CVE-2021-38165.diff)
6 Description: Fixes CVE-2021-38165 in Lynx, which allows for
7 usernames and passwords to be transmitted in cleartext
8 anytime an HTTPS connection is used.
10 diff -Naurp lynx2.8.9rel.1.orig/WWW/Library/Implementation/HTTP.c lynx2.8.9rel.1/WWW/Library/Implementation/HTTP.c
11 --- lynx2.8.9rel.1.orig/WWW/Library/Implementation/HTTP.c 2018-05-04 15:07:43.000000000 -0500
12 +++ lynx2.8.9rel.1/WWW/Library/Implementation/HTTP.c 2021-12-18 14:12:57.503796366 -0600
13 @@ -761,6 +761,22 @@ static char *StripIpv6Brackets(char *hos
14 return host;
15 }
16 #endif
17 +/*
18 + * Remove user/password, if any, from the given host-string.
19 + */
20 +#ifdef USE_SSL
21 +static char *StripUserAuthents(char *host)
22 +{
23 + char *p = strchr(host, '@');
24 +
25 + if (p != NULL) {
26 + char *q = host;
27 +
28 + while ((*q++ = *++p) != '\0') ;
29 + }
30 + return host;
31 +}
32 +#endif
34 /* Load Document from HTTP Server HTLoadHTTP()
35 * ==============================
36 @@ -957,6 +973,7 @@ static int HTLoadHTTP(const char *arg,
37 /* get host we're connecting to */
38 ssl_host = HTParse(url, "", PARSE_HOST);
39 ssl_host = StripIpv6Brackets(ssl_host);
40 + ssl_host = StripUserAuthents(ssl_host);
41 #if defined(USE_GNUTLS_FUNCS)
42 ret = gnutls_server_name_set(handle->gnutls_state,
43 GNUTLS_NAME_DNS,