[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV WebStar Server with DynaMorph problems
|
From: |
Doug Kaufman |
|
Subject: |
Re: LYNX-DEV WebStar Server with DynaMorph problems |
|
Date: |
Sun, 2 Nov 1997 12:48:36 -0800 (PST) |
On Sat, 1 Nov 1997, Klaus Weide wrote:
> 1997-07-02
> ...
> * Mods in LYGetFile.c to include URLs with content from a form submission
> with method GET in the group for which Referer headers are never sent,
> because the content might include private (e.g., password or credit
> card) information which should not be visible in Referer logs. - FM
>
> So it appears we have a conflict of interest here, since I FM's concern
> is a valid one.
>
> Anyway, the code doing this additional check is
>
> if ((LYNoRefererHeader == FALSE &&
> LYNoRefererForThis == FALSE) &&
> (url_type == HTTP_URL_TYPE ||
> url_type == HTTPS_URL_TYPE) &&
> (cp = strchr(HTLoadedDocumentURL(), '?')) != NULL &&
> strchr(cp, '=') != NULL) {
> /*
> * Don't send a Referer header if the URL is
> * the reply from a form with method GET, in
> * case the content has personal data (e.g.,
> * a password or credit card number) which
> * would become visible in logs. - FM
> */
> LYNoRefererForThis = TRUE;
> }
>
> You may want to disable this and see whether this really solves the
> immediate problem.
Thanks. I recompiled lynx with "LYNoRefererForThis = TRUE" disabled and
I am now able to access the site. The security risk to this seems
real, however. I hope, that with this reply and your note going to the
editor at cjp.com, that they will change their site setup to a more
secure and "anybrowser" friendly one.
Doug
__
Doug Kaufman
Internet: address@hidden (preferred)
address@hidden
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;