Bugzilla Bug 231737

Hello,

I just bumped www-client/links to 2.1. Here's an entry from the ChangeLog, I
don't know how you want to handle it:

Tue Jun 24 06:08:04 MET 2008 mikulas:

        Security bug fixed: when "only proxies" is selected, don't pass URLs
        to external programs

Affected arches: alpha, amd64, arm, hppa, ia64, ppc, ppc64, s390, sh, sparc,
x86.

Cheers,
Marcelo

Thanks for the report Marcelo.
I'm opening this bug as the changelog is public anyways.

Could you maybe shed some light on this issue? For example... what is this
"only proxies" setting?

Arches, please test and mark stable:
=www-client/links-2.1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Stable for HPPA.

Sparc stable.

alpha/ia64/x86 stable

AMD64 Arch Tester Report

Compiles/Installs: Clean
Functionality: Tested

Please keyword amd64

chadgentoo / # emerge --info
Portage 2.1.4.4 (default/linux/amd64/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0,
2.6.25-gentoo-r6 x86_64)
=================================================================
System uname: 2.6.25-gentoo-r6 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor
4400+
Timestamp of tree: Wed, 16 Jul 2008 12:30:03 +0000
app-shells/bash:     3.2_p33
dev-lang/python:     2.4.4-r13, 2.5.2-r5
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/terminfo
/etc/udev/rules.d"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict
parallel-fetch sandbox sfperms strict test unmerge-orphans user-sandbox
userfetch userpriv"
GENTOO_MIRRORS="http://distro.ibiblio.org/pub/linux/distributions/gentoo/
http://www.gtlib.gatech.edu/pub/gentoo
ftp://mirror.iawnet.sandia.gov/pub/gentoo/
ftp://ftp.ussg.iu.edu/pub/linux/gentoo http://cudlug.cudenver.edu/gentoo/
http://gentoo.mirrors.pair.com/ http://open-systems.ufl.edu/mirrors/gentoo
http://mirror.datapipe.net/gentoo http://prometheus.cs.wmich.edu/gentoo
http://mirror.mcs.anl.gov/pub/gentoo/
http://gentoo.mirrors.easynews.com/linux/gentoo/
http://gentoo.cites.uiuc.edu/pub/gentoo/
http://mirror.fslutd.org/linux/distributions/gentoo/
http://gentoo.chem.wisc.edu/gentoo/ http://lug.mtu.edu/gentoo/"
LANG="en_US.utf-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdr cli
cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam
firefox fortran gdbm gif gnome gnutls gpm gstreamer gtk hal iconv isdnlog jpeg
kde kerberos ldap libnotify mad midi mikmod mmx mp3 mpeg mudflap multilib
ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd
python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl
sse sse2 ssl startup-notification svg tcpd tiff truetype unicode vorbis xml
xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106
cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0
intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias
authn_anon authn_dbm authn_default authn_file authz_dbm authz_default
authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs
dav_lock deflate dir disk_cache env expires ext_filter file_cache filter
headers include info log_config logio mem_cache mime mime_magic negotiation
rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
ELIBC="glibc" INPUT_DEVICES="evdev mouse keyboard joystick" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY

amd64 stable

ppc64 stable

ppc stable

I vote NO since this only affects a little set of configurations.

Here is the relevant patch:

diff -uNr -r links-2.1pre37/session.c links-2.1/session.c 
--- links-2.1pre37/session.c    2008-06-21 18:12:07.000000000 +0200 
+++ links-2.1/session.c 2008-06-29 18:47:21.000000000 +0200 
@@ -2317,6 +2317,7 @@ 
        if (a->accept_http && !strcasecmp(proto, "http")) ret = 1; 
        if (a->accept_ftp && !strcasecmp(proto, "ftp")) ret = 1; 
        mem_free(proto); 
+       if (proxies.only_proxies) ret = 0; 
        return ret; 
 } 



it's more like a bug of a specific links feature for me, concerning crawling
with anonymization for paranoid people.

I vote no and closing. Fell free to reopen if you disagree.