As a side note, there is no need to explicitely disable parsing UPLOADER
directives because we --disable-dired at configure time, nor EXTERNAL
directives as we do not build with --enable-externs.
OK mestre@, tb@
against bzlib so the library would be used instead of the bzip2 binary.
We now disable bzip2 detection at the configure level (thanks to sthen@
for the pointers), which prevents accepting bzip2 compressed HTML and
thus avoid spawning processes.
OK tb@, sthen@
XLOADIMAGE_COMMAND value in userdefs.h, we also remove the possibility
of setting a custom value in lynx.cfg.
The ability to assign MIME types to external viewers via configuration
file (via the VIEWER variables) is also disabled.
OK tb@
sthen@ found that the mailcap mechanism can spawn a viewer. Rename
the hardcoded /etc/mailcap and ~/.mailcap files to /dev/null and
disable the ability to undo that via a config file. lynx copes by
offering to download files with MIME types it can't handle itself.
fcambus found that "lynx index.html" + typing e spawns an editor.
Hardcode "no_editor = TRUE" before pledge() and tweak manpage.
Most of this is by fcambus (MAINTAINER).
/dev/null bit from me, based on a hint from sthen@.
ok sthen@ on previous version
The heavy lifting and final touches were done by Frederic Cambus; this
version includes earlier patches, ideas and tweaks from daniel@ and me.
ok daniel@, patch and notes from Frederic Cambus (MAINTAINER)
Notes :
-------
The idea is to avoid using otherwise required 'getpw', 'proc', 'exec'
promises entirely. We achieve this by disabling a couple of features,
mostly removing obsolete stuff. While we are at it, we attempt to pave
the way to be able to remove even more promises in the future, and
reduce potential attack vectors.
We disable them either at compile time :
--disable-bibp-urls
--disable-dired
--disable-finger
Or by hardcoding boolean values to disable the features just before
calling pledge and entering main program loop :
no_exec = TRUE;
no_mail = TRUE;
no_shell = TRUE;
rlogin_ok = FALSE;
telnet_ok = FALSE;
Manpage has been updated to mention those restrictions.
Also, CFLAGS="-DNOUSERS" was added in the Makefile to disable getpwnam
and getpwuid.
rapidly-changing ac- series to the stable, lynx 2.7.2 release. ac- shoudl
be in a lynx-current port.
Note that in the patches I pull some tricks with Makefiles that work _only_
because we are building out of variables set in bsd.port.mk.
