On 2015-07-29, Scarlett wrote:
(My last few mails to this list have been caught by the spam daemon,
so I'm replying directly and hoping this makes its way through).
I've wrestled with w3m's code plenty. What I found did not make me
happy, as bcallah@ can attest (they also pointed me to this message).
Numerous Linux distributions have fixes for fairly serious bugs in w3m
sitting in their patches directories that have not been fixed
upstream.
Fuzzing it did not have positive results.
Memory management practices are terrible. I suspect that replacing the
GC layer with regular malloc() and adding free() in the correct places
would be a major effort. A rewrite would possibly be preferable.
I've merged a lot of fixes from various Linux distributions, and some
of my own (C-standard-libraryification, overflow checks, NULL pointer
deref bugs). I've also made some non-trivial simplifications to the
code, removed a lot of cruft, and made it use libtls.
You can check out my repository here, if you're interested:
https://bitbucket.org/Scarletts/w3m/src
I'd be really happy if other people took an interest and sent in some
patches, or just tested it.
w3m is fairly terrifying code. I would recommend using a "modern"
intensively audited browser and disabling features like JavaScript
over using w3m if security is a major concern.
On the bells and whistles end of the spectrum, I'm rather partial to
Iridium at the moment. Video performance on YouTube is much nicer than
Firefox, and the process-per-tab feature adds some much needed
stability.
I am not a programmer at all, so I avoided stating that my gut tells me that
w3m is likely in dire need of major fixes and optimizations. My dream project,
if I ever learn C, would be to fork w3m or to write a brand new browser in the
spirit of w3m. I'll check out your repo and mess around with it, for sure :)
Thanks for the reply.
-BSD
