RobertM wrote: > Greetings, > > It is alleged that Jeff Long once typed: > >>It seems to me that -anonymous is pretty messed up in 2.8.4 when compared >>to 2.8.3. For example, when -anonymous is used in 2.8.4 I can: >> >>1) Go to a served file: URL which then can get me into DirEd which then >>gets me /etc/passwd >>2) Use ! to spawn my shell (which isn't a big deal when the shell is a >>script that starts lynx) >>3) I can save options to a .lynxrc file >>4) I can save a file to disk (e.g. using the d key) > > > All of these can be enabled or not for anonymous at compile time. > > >>and perhaps some other things I missed. Perhaps this is the way it is >>supposed to work... > > > I suspect this is due to the options set in the copy of lynx you're > using. The anonymous lynx client at lynx.scramworks.net certainly > won'tlet you do those things, it's running 2.8.4rel.1. > However I did go through the options very very carefully.
Well, I thought I had also gone through them carefully (in both userdefs.h and lynx.cfg). I do not see any settings in them for #2. For #1 I have CAN_ANONYMOUS_GOTO_FILE set to FALSE but it appears that -anonymous causes the file_url restriction to be turned off thus allowing the file: to work. For #3 I cannot find any lynxrc/options settings that apply when -anonymous is used in userdefs.h/lynx.cfg. Same for #4. None of the lynx.cfg/userdefs.h settings seem to apply to downloading to disk when -anonymous is used. My userdefs.h and lynx.cfg are virtually identical between 2.8.3 and 2.8.4 which is why I'm a bit confused. Jeff ; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to [EMAIL PROTECTED]
