lynx lynxcgi handler flaw

[Josh Bressers <bressers () redhat com>]

Clint Ruoho brought this to our attention, and I think there is a greater benefit
in in sharing this than there is in keeping it embargoed.

The fix for CVE-2005-2929 only disable the lynxcgi handler when you're not in
advanced mode.  It's considered to not be a flaw in advanced mode because it
displays the URL that is selected.  The potential problem here though is if lynx
is called from the command line if it's your URL handler.

Clint pointed out that the easiest way to fix this is to just disable CGI support
in /etc/lynx.cfg, which I agree with, and is a wise default.

Initially I thought this was an issue that should be fixed, but I'm starting to
wonder this.  So some open discussion is in order.

Does anything allow the lynxcgi:// handler?  A user would have to have defined
this protocol handler, which I think is quite unlikely.

Thanks.

-- 
    JB