Date: Sat, 7 Aug 2021 23:53:18 +0200 From: Axel Beckert <abe@...ian.org> To: Ariadne Conill <ariadne@...eferenced.org> Cc: Salvatore Bonaccorso <carnil@...ian.org>, oss-security@...ts.openwall.com, lynx-dev@...gnu.org Subject: Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Hi Ariadne, [Dropping the Debian-specific recipients as this is no more related to the maintenance of Debian's lynx package.] Ariadne Conill wrote: > > Citing from Ariadne's mail: > > > The issue itself is far more severe: HTParse() does not understand > > > the authn part of the URI at all. > > […] > > > But it will also leak in the Host: header on unencrypted > > > connections, and also probably SSL ones too. > > > > But that looks to me as if Ariadne just refers to the code and hasn't > > actually checked it by trying it. Nevertheless thanks to Ariadne for > > having had a look and proposing a patch! > > Yes, this was my guess since HTParse() doesn't understand the authn part. > But this seems like a rather unfortunate design: parse the URI wrong, and > then "fix" it later? Why not just parse the URI right, to begin with? I agree that it looks a bit unconventional and unintuitive. But I assume this is because Lynx is actually older than the WWW. According to Wikipedia, Lynx "is oldest web browser still being maintained, having started in 1992". It was initially written for another hypertext protocol (something university-internal and gopher-ish according to Wikipedia -- English and German Wikipedia tell slightly different stories here). So it has quite some amount of history in its code and probably especially in its code structure. And compared to those nearly 30 years, the Host header probably came in only after 5 years of developement with HTTP/1.1 in 1997 or so. (And SNI much, much later, kinda "just recently".) So I kinda have some understanding for this unintuitive locations as most of the code is historically grown. Then again, big kudos to Thomas Dickey for still maintaining and developing Lynx. It can't be that easy to maintain a niche program with a code base which such a long history.  https://en.wikipedia.org/wiki/Lynx_(web_browser) Regards, Axel -- ,''`. | Axel Beckert <abe@...ian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.