Debian Bug report logs - #318034
lynx: doesn't escape variable names for multipart/form-data

version graph

Package: lynx; Maintainer for lynx is Atsuhito KOHDA <kohda@debian.org>; Source for lynx is src:lynx-cur.

Reported by: Frederic Briere <fbriere@fbriere.net>

Date: Wed, 13 Jul 2005 00:48:02 UTC

Severity: normal

Tags: fixed-upstream

Found in version 2.8.5-2

Fixed in version lynx/2.8.6-1

Done: warp@debian.org (Zephaniah E. Hull)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#318034; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Frederic Briere <fbriere@fbriere.net>:
New Bug report received and forwarded. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Frederic Briere <fbriere@fbriere.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lynx: doesn't escape variable names for multipart/form-data
Date: Tue, 12 Jul 2005 20:42:41 -0400
Package: lynx
Version: 2.8.5-2
Severity: normal

Given the following form:

  <FORM ENCTYPE="multipart/form-data" ...>
  <INPUT NAME="quot;foo&quot;" ...
  ...
  </FORM>

lynx will naively submit the following:

  Content-Disposition: form-data; name=""foo""

which is clearly wrong.


RFC 1867 never actually bothers to formally define Content-Disposition,
but it does refer to RFC 1806, which (via RFC 822) mandates that this
header's value be a quoted-string, and must be escaped properly.


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-2
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1)

Versions of packages lynx depends on:
ii  libbz2-1.0                  1.0.2-7      high-quality block-sorting file co
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libgnutls11                 1.0.16-13.1  GNU TLS library - runtime library
ii  libncursesw5                5.4-8        Shared libraries for terminal hand
ii  zlib1g                      1:1.2.2-7    compression library - runtime

Versions of packages lynx recommends:
ii  mime-support                  3.34-1     MIME files 'mime.types' & 'mailcap

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#318034; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Thomas Dickey <dickey@radix.net>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #10 received at 318034@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@radix.net>
To: Frederic Briere <fbriere@fbriere.net>, 318034@bugs.debian.org
Subject: Re: Bug#318034: lynx: doesn't escape variable names for multipart/form-data
Date: Wed, 13 Jul 2005 06:49:52 -0400
On Wed, Jul 13, 2005 at 03:00:13AM +0200, Frederic Briere wrote:
> Package: lynx
> Version: 2.8.5-2
> Severity: normal
> 
> Given the following form:
> 
>   <FORM ENCTYPE="multipart/form-data" ...>
>   <INPUT NAME="quot;foo&quot;" ...
did you mean
    <INPUT NAME="&quot;foo&quot;" ...

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#318034; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Frédéric Brière <fbriere@fbriere.net>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #15 received at 318034@bugs.debian.org (full text, mbox):

From: Frédéric Brière <fbriere@fbriere.net>
To: 318034@bugs.debian.org
Cc: Thomas Dickey <dickey@radix.net>
Subject: Re: Bug#318034: lynx: doesn't escape variable names for multipart/form-data
Date: Wed, 13 Jul 2005 15:55:00 -0400
On Wed, Jul 13, 2005 at 06:49:52AM -0400, Thomas Dickey wrote:
> >   <INPUT NAME="quot;foo&quot;" ...
>
> did you mean
>
>     <INPUT NAME="&quot;foo&quot;" ...

Yeah, sorry.  I knew I'd screw up somehow. :)


-- 
             Frédéric Brière    <*>    fbriere@fbriere.net

 =>  <fbriere@abacom.com> IS NO MORE:  <http://www.abacomsucks.com>  <=



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#318034; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Thomas Dickey <dickey@radix.net>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #20 received at 318034@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@radix.net>
To: Frédéric Brière <fbriere@fbriere.net>
Cc: 318034@bugs.debian.org
Subject: Re: Bug#318034: lynx: doesn't escape variable names for multipart/form-data
Date: Wed, 13 Jul 2005 17:43:55 -0400
[Message part 1 (text/plain, inline)]
On Wed, Jul 13, 2005 at 03:55:00PM -0400, Frédéric Brière wrote:
> On Wed, Jul 13, 2005 at 06:49:52AM -0400, Thomas Dickey wrote:
> > >   <INPUT NAME="quot;foo&quot;" ...
> >
> > did you mean
> >
> >     <INPUT NAME="&quot;foo&quot;" ...
> 
> Yeah, sorry.  I knew I'd screw up somehow. :)

thanks (on my to-do list)

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#318034; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to dickey@his.com:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #25 received at 318034@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: Frederic Briere <fbriere@fbriere.net>, 318034@bugs.debian.org
Subject: Re: Bug#318034: lynx: doesn't escape variable names for multipart/form-data
Date: Fri, 26 Aug 2005 18:27:35 -0400
[Message part 1 (text/plain, inline)]
On Wed, Jul 13, 2005 at 03:00:13AM +0200, Frederic Briere wrote:
> Package: lynx
> Version: 2.8.5-2
> Severity: normal
> 
> Given the following form:
> 
>   <FORM ENCTYPE="multipart/form-data" ...>
>   <INPUT NAME="quot;foo&quot;" ...
>   ...
>   </FORM>
> 
> lynx will naively submit the following:
> 
>   Content-Disposition: form-data; name=""foo""

This is still wrong in lynx-cur.  I'm making a fix so the next lynx-cur
should work properly.  What I'm seeing is not as naive, but an error.

In 2.8.5 it does call HTMake822Word, which is supposed to deal with this.
But that function confuses backslash and escape.  The result is that
the inner double-quotes are escaped with escape (033) characters rather
than backslashes (0134).  Oddly enough, that error is quite old (1998),
and only applies to some control characters as well as double-quote and
backslash.

After correcting this (near the end of HTParse.c):

	if ((a != '\011') && ((a & 127) < 32 ||
			      (a < 128 && ((crfc[a - 32]) & 2))))
	    *q++ = '\033';
 
to

	if ((a != '\011') && ((a & 127) < 32 ||
			      (a < 128 && ((crfc[a - 32]) & 2))))
	    *q++ = '\134';

I see in the trace

Query 112{--LYNX\r
Content-Disposition: form-data; name="\\"foo\\""\r
Content-Type: text/plain\r
\r
Submit this form\r
--LYNX--\r
}

which looks correct...

> which is clearly wrong.
> 
> 
> RFC 1867 never actually bothers to formally define Content-Disposition,
> but it does refer to RFC 1806, which (via RFC 822) mandates that this
> header's value be a quoted-string, and must be escaped properly.

;-)

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#318034; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to dickey@his.com:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #30 received at 318034@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: 318034@bugs.debian.org
Subject: re: #318034 lynx: doesn't escape variable names for multipart/form-data
Date: Sun, 11 Dec 2005 18:02:07 -0500
[Message part 1 (text/plain, inline)]
This is fixed in lynx 2.8.6dev.14

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed-upstream Request was from Thomas Dickey <dickey@his.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#318034; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #37 received at 318034@bugs.debian.org (full text, mbox):

From: Justin Pryzby <justinpryzby@users.sourceforge.net>
To: dickey@his.com, 318034@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#318034: #318034 lynx: doesn't escape variable names for multipart/form-data
Date: Sun, 11 Dec 2005 20:18:38 -0500
tag 318034 fixed-upstream
thanks

Tagging as such; thanks.

-- 
Clear skies,
Justin

On Sun, Dec 11, 2005 at 06:02:07PM -0500, Thomas Dickey wrote:
> This is fixed in lynx 2.8.6dev.14



Tags added: fixed-upstream Request was from Justin Pryzby <justinpryzby@users.sourceforge.net> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed-upstream Request was from Thomas Dickey <dickey@his.com> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to warp@debian.org (Zephaniah E. Hull):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Frederic Briere <fbriere@fbriere.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #46 received at 318034-close@bugs.debian.org (full text, mbox):

From: warp@debian.org (Zephaniah E. Hull)
To: 318034-close@bugs.debian.org
Subject: Bug#318034: fixed in lynx 2.8.6-1
Date: Tue, 01 May 2007 06:17:03 +0000
Source: lynx
Source-Version: 2.8.6-1

We believe that the bug you reported is fixed in the latest version of
lynx, which is due to be installed in the Debian FTP archive:

lynx_2.8.6-1.diff.gz
  to pool/main/l/lynx/lynx_2.8.6-1.diff.gz
lynx_2.8.6-1.dsc
  to pool/main/l/lynx/lynx_2.8.6-1.dsc
lynx_2.8.6-1_amd64.deb
  to pool/main/l/lynx/lynx_2.8.6-1_amd64.deb
lynx_2.8.6.orig.tar.gz
  to pool/main/l/lynx/lynx_2.8.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 318034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Zephaniah E. Hull <warp@debian.org> (supplier of updated lynx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 01 May 2007 01:43:17 -0400
Source: lynx
Binary: lynx
Architecture: source amd64
Version: 2.8.6-1
Distribution: unstable
Urgency: low
Maintainer: Zephaniah E. Hull <warp@debian.org>
Changed-By: Zephaniah E. Hull <warp@debian.org>
Description: 
 lynx       - Text-mode WWW Browser
Closes: 40435 67184 99400 120451 121520 132674 137480 141158 147287 152810 157088 171312 184482 188415 193205 204994 240237 244871 248092 252915 254515 265031 268264 271048 304989 313789 315853 318034 325478 343049 344275 374388 390918
Changes: 
 lynx (2.8.6-1) unstable; urgency=low
 .
   * Hijack the package.  I might not be great at it, but I do use it daily.
   * New upstream release.
     Closes: #254515, #137480, #67184, #99400, #132674, #141158, #40435,
     #120451, #157088, #204994, #244871, #248092, #268264, #271048, #318034,
     #343049, #390918, #240237, #313789, #171312, #193205, #252915, #265031,
     #121520, #152810, #188415, #344275, #374388, #184482, #315853
   * Uses the new upstream defaults. Closes: #325478, #147287.
   * Update 01_default-config.dpatch. (Offset changes only.)
   * Update 02_default-key-bindings.dpatch. (Upstream formatting changes.)
   * Kill 03_newer_gnutls.dpatch entirely.
     This was fixed upstream.  But this is also a GPL violation as we only ship
     the patch to configure, and not to configure.in, the source file.
   * Kill 04_CVE-2004-1617.dpatch. (Merged into upstream.)
   * Disable 05_FTBFS_on_GNUHurd_and_GNUkBSD (Upstream changes, file new bug if
     we FTBFS again.)
   * Removed configure arguments:
     --enable-8bit-toupper - Removed, no longer exists.
     --enable-persistent-cookies - Enabled by default.
     --enable-prettysrc - Enabled by default.
     --enable-source-cache - Enabled by default.
     --enable-read-eta - Enabled by default.
   * Added configure arguments:
     --enable-nsl-fork - fork NSL requests, allowing them to be aborted
     --enable-justify-elts - use element-justification logic
   * Update the contents and location of lynx.desktop. Closes: 304989.
   * Other things will be handled by later uploads, patches welcome.
Files: 
 5f2a3005f67b144c6093ae875957d5fe 605 web optional lynx_2.8.6-1.dsc
 2158041a3fdb5d094831da2c82cfcaba 3195728 web optional lynx_2.8.6.orig.tar.gz
 24699d4e88618f94d9dd2b3e88ca41ef 15521 web optional lynx_2.8.6-1.diff.gz
 e44c39690127312aa16149da5356ce4b 2010044 web optional lynx_2.8.6-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGNtYKRFMAi+ZaeAERAn6nAJ0SiaGd5zI4mt+sknbcH7M2/GWA1gCg2otr
gDdwPYjAsyQXG/udwapEPGA=
=6Lmp
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 04 Jul 2007 07:51:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:26:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.