Jakub Wilk <jw...@debian.org> writes: > elinks follows HTTP 302 redirects to file:// URLs. This can cause > information disclosure or, if protocol.file.allow_special_files is > enabled, denial of service:
If a local user is running ELinks and getting the output to a terminal, then ELinks will display the contents of the file to the user, but the user would have been able to read the file anyway, so I don't think this is a problem. If a daemon gets a request from an untrusted user, runs ELinks, collects its output and sends it back to the user, then this behavior can cause unwanted disclosure of information. I suspect such daemons should use elinks -anonymous, which disables local file browsing. If the original URI redirects to a http URL, then -anonymous doesn't prevent it. Such a request too might be able to access resources that the original user cannot: * Saved HTTP cookies or Kerberos tickets might satisfy access controls on the HTTP server. I think the daemon can ensure that the user account doesn't have these, so ELinks needn't be changed to explicitly block them when -anonymous is used. * Access control by client IP address, IPsec, or servers at private IP addresses. I don't think ELinks should be responsible of restricting access to such servers. > $ elinks -eval 'set protocol.file.allow_special_files=1' -dump > 'http://httpbin.org/redirect-to?url=file:///dev/urandom' That option is just asking for trouble. Anyway, the daemon can use setrlimit(2) to make the error occur sooner. > ERROR at /build/elinks-PqPvvp/elinks-0.12~pre6/src/util/memory.c:34: Out of > memory (realloc returned NULL): retry #1/3, I still exercise my patience and > retry tirelessly. > ERROR at /build/elinks-PqPvvp/elinks-0.12~pre6/src/util/memory.c:34: Out of > memory (realloc returned NULL): retry #2/3, I still exercise my patience and > retry tirelessly. > ERROR at /build/elinks-PqPvvp/elinks-0.12~pre6/src/util/memory.c:46: Out of > memory (realloc returned NULL) after 3 tries, I give up and try to continue. > Pray for me, please. > ELinks: Out of memory Because -dump was used, recovering from this out-of-memory error does not make sense.
pgpR1ankYtoSE.pgp
Description: PGP signature
