[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV Lynx/MSIE denial-of-service

From: Klaus Weide
Subject: Re: LYNX-DEV Lynx/MSIE denial-of-service
Date: Tue, 11 Mar 1997 18:21:38 -0600 (CST)

On Tue, 11 Mar 1997, Alan Cox wrote:

> > The CHARGEN service has other security implications and should be turned
> > off in normal system operation.
> Indeed.

Although CERT Advisory CA-96.01 seems to be mostly concerned with UDP

> Lynx ought to have a sanity limit on page sizes 

If you count input bytes in SGML_character, and similarly in
HTPlain_put_character and HTPlain_write, and compare against a
configured DOCUMENT_MAX_SIZE an each call, you should catch the "normal"
cases where Lynx wants to display a document.  It wouldn't catch the
output of some internal gateways which call HTML.c functions directly,
but tricking those into generating an endless stream of bytes should be at
least a bit more difficult.  It also wouldn't catch D)ownloads and other
cases where Lynx writes incoming data to disk.

> and also on opening device
> files

It's useful in some cases; try something like 

 [some command] | lynx /dev/fd/0 ...


; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]