Debian Bug report logs - #274619
lynx-ssl: Faulty parsing of relative URLs

version graph

Package: lynx; Maintainer for lynx is Atsuhito KOHDA <kohda@debian.org>; Source for lynx is src:lynx-cur.

Reported by: Liam K Morland <Liam@Morland.ca>

Date: Sun, 3 Oct 2004 02:48:02 UTC

Severity: normal

Fixed in version 2.8.7dev9-1.2

Done: Andreas Metzler <ametzler@downhill.at.eu.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#274619; Package lynx-ssl. Full text and rfc822 format available.

Acknowledgement sent to Liam K Morland <Liam@Morland.ca>:
New Bug report received and forwarded. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Liam K Morland <Liam@Morland.ca>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lynx-ssl: Faulty parsing of relative URLs
Date: Sat, 02 Oct 2004 01:04:14 -0400
Package: lynx-ssl
Version: 1:2.8.4.1b-3.1
Severity: normal

On this page:

http://wj55.org/Minutes.php

There is this tag:

<a href="?date_meeting=2004-08-31">Tuesday, August 31, 2004</a>

Following this link ~should~ take one to:

http://wj55.org/Minutes.php?date_meeting=2004-08-31

But instead, we get to:

http://wj55.org/?date_meeting=2004-08-31

This violates RFC 1808: Relative Uniform Resource Locators

Liam

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=en_CA, LC_CTYPE=en_CA

Versions of packages lynx-ssl depends on:
ii  libc6                       2.3.2.ds1-16 GNU C Library: Shared libraries an
ii  libncurses5                 5.4-4        Shared libraries for terminal hand
ii  libssl0.9.6                 0.9.6l-4     SSL shared libraries (old version)
ii  zlib1g                      1:1.2.1.1-7  compression library - runtime

-- no debconf information



Message sent on to Liam K Morland <Liam@Morland.ca>:
Bug#274619. Full text and rfc822 format available.

Message #8 received at 274619-submitter@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@radix.net>
To: 274619-submitter@bugs.debian.org
Subject: Re: Bug#274619: lynx-ssl: Faulty parsing of relative URLs
Date: Mon, 4 Oct 2004 08:35:46 -0400
[Message part 1 (text/plain, inline)]
On Sun, Oct 03, 2004 at 05:00:12AM +0200, Liam K Morland wrote:
> Package: lynx-ssl
> Version: 1:2.8.4.1b-3.1

That's old.  You should be testing lynx-cur

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
[Message part 2 (application/pgp-signature, inline)]

Information stored:
Bug#274619; Package lynx-ssl. Full text and rfc822 format available.

Acknowledgement sent to Liam Morland <Liam@Morland.ca>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #13 received at 274619-quiet@bugs.debian.org (full text, mbox):

From: Liam Morland <Liam@Morland.ca>
To: Thomas Dickey <dickey@radix.net>, 274619-quiet@bugs.debian.org
Subject: Re: Bug#274619: lynx-ssl: Faulty parsing of relative URLs
Date: Mon, 4 Oct 2004 10:53:06 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

2004-10-04 08:35-0400 Thomas Dickey <dickey@radix.net> wrote:
>On Sun, Oct 03, 2004 at 05:00:12AM +0200, Liam K Morland wrote:
>> Package: lynx-ssl
>> Version: 1:2.8.4.1b-3.1
>
>That's old.  You should be testing lynx-cur

The problem also exists in the debian-testing version of lynx-cur
2.8.6-4.

Liam

- -- 
Liam Morland <Liam@Morland.ca>        Canadian Scout Camps Directory
<http://Liam.Morland.ca/>              <http://ScoutDocs.ca/Camps/>

PGP Public Key: <http://Liam.Morland.ca/public-key.pgp>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBYWPRgtUMElSxnjcRAnebAJ9keLqhbJVVIbzcMdve+H+1JuGjaACeJh5S
u+V1Im5tkFR0oe24Wbk0TZc=
=BSAw
-----END PGP SIGNATURE-----



Message sent on to Liam K Morland <Liam@Morland.ca>:
Bug#274619. Full text and rfc822 format available.

Message #16 received at 274619-submitter@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@radix.net>
To: 274619-submitter@bugs.debian.org
Subject: Re: Bug#274619: lynx-ssl: Faulty parsing of relative URLs
Date: Mon, 4 Oct 2004 11:07:53 -0400
[Message part 1 (text/plain, inline)]
On Mon, Oct 04, 2004 at 10:53:06AM -0400, Liam Morland wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 2004-10-04 08:35-0400 Thomas Dickey <dickey@radix.net> wrote:
> >On Sun, Oct 03, 2004 at 05:00:12AM +0200, Liam K Morland wrote:
> >> Package: lynx-ssl
> >> Version: 1:2.8.4.1b-3.1
> >
> >That's old.  You should be testing lynx-cur
> 
> The problem also exists in the debian-testing version of lynx-cur
> 2.8.6-4.

thanks for the update (I'll see if I can reproduce the problem).

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
[Message part 2 (application/pgp-signature, inline)]

Message sent on to Liam K Morland <Liam@Morland.ca>:
Bug#274619. Full text and rfc822 format available.

Message #19 received at 274619-submitter@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@radix.net>
To: 274619-submitter@bugs.debian.org
Subject: Re: Bug#274619: lynx-ssl: Faulty parsing of relative URLs
Date: Mon, 4 Oct 2004 18:00:16 -0400
[Message part 1 (text/plain, inline)]
On Mon, Oct 04, 2004 at 10:53:06AM -0400, Liam Morland wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 2004-10-04 08:35-0400 Thomas Dickey <dickey@radix.net> wrote:
> >On Sun, Oct 03, 2004 at 05:00:12AM +0200, Liam K Morland wrote:
> >> Package: lynx-ssl
> >> Version: 1:2.8.4.1b-3.1
> >
> >That's old.  You should be testing lynx-cur
> 
> The problem also exists in the debian-testing version of lynx-cur
> 2.8.6-4.

I can reproduce this in my current version as well (am making a to-do item
for it).

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
[Message part 2 (application/pgp-signature, inline)]

Message sent on to Liam K Morland <Liam@Morland.ca>:
Bug#274619. Full text and rfc822 format available.

Message #22 received at 274619-submitter@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@radix.net>
To: 274619-submitter@bugs.debian.org
Cc: Lynx Development <lynx-dev@sig.net>
Subject: Re: Bug#274619: lynx-ssl: Faulty parsing of relative URLs
Date: Sun, 10 Oct 2004 16:23:49 -0400
On Mon, Oct 04, 2004 at 10:53:06AM -0400, Liam Morland wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 2004-10-04 08:35-0400 Thomas Dickey <dickey@radix.net> wrote:
> >On Sun, Oct 03, 2004 at 05:00:12AM +0200, Liam K Morland wrote:
> >> Package: lynx-ssl
> >> Version: 1:2.8.4.1b-3.1
> >
> >That's old.  You should be testing lynx-cur
> 
> The problem also exists in the debian-testing version of lynx-cur
> 2.8.6-4.

I can see part of the problem (enough to be confused).  Testing "other"
browsers, I see that they behave as you would like.  The lynx code trims
the last segment of the base URL - I can pinpoint that, and changing the
logic is relatively simple:

--- WWW/Library/Implementation/HTParse.c.orig   2004-05-06 21:13:29.000000000 ->
+++ WWW/Library/Implementation/HTParse.c        2004-10-10 16:00:39.000000000 ->
@@ -450,12 +450,13 @@
            *tail++ = '/';
            strcpy(tail, related.absolute);
            if (given.relative) {
-               p = strchr(tail, '?');  /* Search part? */
-               if (p == NULL)
-                   p = (tail + strlen(tail) - 1);
-               for (; *p != '/'; p--) ;        /* last / */
-               p[1] = '\0';    /* Remove filename */
-               strcat(p, given.relative);      /* Add given one */
+               /* remove query, if any */
+               if ((p = strchr(tail, '?')) != 0)
+                   *p = '\0';
+               /* append the relative part to the absolute */
+               tail += strlen(tail);
+               *tail++ = '/';
+               strcpy(tail, given.relative);
                HTSimplify(result);
            }
            CTRACE((tfp, "HTParse: (Related-ABS)\n"));

But reading RFC1808, I come upon this paragraph which seems to correspond to
what lynx is doing (since 1997, as I read the changelog):

   Step 6: The last segment of the base URL's path (anything
           following the rightmost slash "/", or the entire path if no
           slash is present) is removed and the embedded URL's path is
           appended in its place.  The following operations are
           then applied, in order, to the new path:

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net



Information stored:
Bug#274619; Package lynx-ssl. Full text and rfc822 format available.

Acknowledgement sent to Liam Morland <Liam@Morland.ca>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #27 received at 274619-quiet@bugs.debian.org (full text, mbox):

From: Liam Morland <Liam@Morland.ca>
To: Thomas Dickey <dickey@radix.net>, 274619-quiet@bugs.debian.org
Cc: 274619-submitter@bugs.debian.org, Lynx Development <lynx-dev@sig.net>
Subject: Re: Bug#274619: lynx-ssl: Faulty parsing of relative URLs
Date: Sun, 10 Oct 2004 22:46:58 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

2004-10-10 16:23-0400 Thomas Dickey <dickey@radix.net> wrote: [...]
>But reading RFC1808, I come upon this paragraph which seems to correspond to
>what lynx is doing (since 1997, as I read the changelog):
>
>   Step 6: The last segment of the base URL's path (anything
>           following the rightmost slash "/", or the entire path if no
>           slash is present) is removed and the embedded URL's path is
>           appended in its place.  The following operations are
>           then applied, in order, to the new path: [...]

Thomas,

I haven't read the entire RFC, but I think in the case at hand, step 6
is skipped:

   Step 5: If the embedded URL path is empty (and not preceded by a
           slash), then the embedded URL inherits the base URL path,
           and

           a) if the embedded URL's <params> is non-empty, we skip to
              step 7; otherwise, it inherits the <params> of the base
              URL (if any) and

           b) if the embedded URL's <query> is non-empty, we skip to
              step 7; otherwise, it inherits the <query> of the base
              URL (if any) and we skip to step 7.

The relative URL's path is empty since it were looking at <a href="?foo=bar">
so we should inherit the base URL path and skip to step 7.

The examples confirm it:

	5.  Examples and Recommended Practice

	   Within an object with a well-defined base URL of

	      Base: <URL:http://a/b/c/d;p?q#f>

	   the relative URLs would be resolved as follows:

	5.1.  Normal Examples [...]

	      ?y         = <URL:http://a/b/c/d;p?y>

Regards,
Liam

- --
Liam Morland <Liam@Morland.ca>        Help Make Scouts Canada Democratic
<http://Liam.Morland.ca/>                   <http://ScoutEh.ca/>

PGP Public Key: <http://Liam.Morland.ca/public-key.pgp>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBafQigtUMElSxnjcRAhLMAKDc/21AuMUkBln8Prjj/mn3MehlkwCg7hPp
DiDZOiOfWx6ZYEFPfrIh9Og=
=fkk+
-----END PGP SIGNATURE-----



Message sent on to Liam K Morland <Liam@Morland.ca>:
Bug#274619. Full text and rfc822 format available.

Bug reassigned from package `lynx-ssl' to `lynx'. Request was from Martin Michlmayr <tbm@cyrius.com> to control@bugs.debian.org. (Tue, 10 Jun 2008 08:57:07 GMT) Full text and rfc822 format available.

Reply sent to Andreas Metzler <ametzler@downhill.at.eu.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Liam K Morland <Liam@Morland.ca>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #37 received at 274619-done@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@downhill.at.eu.org>
To: 274619-done@bugs.debian.org
Subject: Re: Bug#274619: lynx-ssl: Faulty parsing of relative URLs
Date: Sat, 19 Jul 2008 10:45:56 +0200
Version: 2.8.7dev9-1.2

On 2004-10-02 Liam K Morland <Liam@Morland.ca> wrote:
> Package: lynx-ssl
> Version: 1:2.8.4.1b-3.1
> Severity: normal

> On this page:

> http://wj55.org/Minutes.php

> There is this tag:

> <a href="?date_meeting=2004-08-31">Tuesday, August 31, 2004</a>

> Following this link ~should~ take one to:

> http://wj55.org/Minutes.php?date_meeting=2004-08-31

> But instead, we get to:

> http://wj55.org/?date_meeting=2004-08-31
[...]

Hello,
I cannot reproduce this with 2.8.7dev9-1.2 anynmore. Closing.
lynx -useragent=Lynx/2.8.5rel.1 http://wj55.org/Minutes.php
follows the links as expected.


On a sidenote the site seems to be broken, it barfs on
lynx's user agent header:

-------------------------
ametzler@argenau:/chroots/sid/usr/share/doc/lynx-cur$ telnet wj55.org 80
Trying 76.74.187.200...
Connected to wj55.org.
Escape character is '^]'.
HEAD /Minutes.php HTTP/1.0
Host: wj55.org
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/1.4.4

HTTP/1.1 406 Not Acceptable
Date: Sat, 19 Jul 2008 08:38:15 GMT
Server: Apache
Content-Length: 262
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>406 Not Acceptable</title>
</head><body>
<h1>Not Acceptable</h1>
<p>An appropriate representation of the requested resource /Minutes.php could not be found on this server.</p>
</body></html>
Connection closed by foreign host.
ametzler@argenau:/chroots/sid/usr/share/doc/lynx-cur$
-------------------------

I am quite sure this is a site problem, not one in lynx since the
same happens when using the User-Agent example in rfc1945
("User-Agent: CERN-LineMode/2.15 libwww/2.17b3")
cu andreas




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Aug 2008 07:27:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 08:21:06 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.