[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)

From: H E Nelson
Subject: Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
Date: Wed, 25 Jun 1997 09:47:10 +0900 (JST)

> Now, all that said....  the ability to get a shell, or cause lynx to pass 
> arbitrary _user-supplied_input_ to the system() command *is* a 'bad thing',
> and should be plugged.  Refusing to process any strings containing any 
> shell 'special' characters could be a good stat.

Question I have is why it is necessary for Lynx to call `sh' to do a
`cp'.  Wayne said something about doing an exec().  Why can't this be
done, or is it not any "safer"?

Fote, your mods look good (aren't they always).  Seems like it should
have been that way all along.  In my second _hour_ of downloading
bind8.1.1 (599Kb), so I won't be able to test Lynx today or tomorrow.

; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]