On 2003-07-08 at 19:44 -0700, Kelson Vibber wrote:
syntaxes to extend the Dillo user-agent string: Dillo/<version> (<system>) Dillo/<version> (<platform>; <system>)
Where <system> is the output of "uname -sm" (i.e. Linux PPC, FreeBSD i386, etc) and <platform> is of the form (Windows|Macintosh|X11|etc.) as used by Mozilla (see http://www.mozilla.org/build/revised-user-agent-strings.html ).
This would result in identification like the following: Dillo/0.8 (Linux i386)
The problem with these is when there are security holes in image rendering libraries (eg, versions of Netscape with custom handlers for extended information in GIF files). If you state the system architecture then it's relatively trivial to use the User-Agent field on the server-side to select the image with the correct shell-code to exploit your system. If you say "FreeBSD" or "Linux" then you're stating which system calls are where. All of which helps a malicious web-site operator target their exploit to your browser. As you note, Konqueror lets you configure the amount of information available without a source-patch. I'm one of those who reduces the information to the minimum -- I'm happy supplying something saying "Konqueror" or "Dillo" and don't get upset at the version being present. I like to turn it off though -- this is one of the things which I like about Dillo -- it's so fast to compile that trivial local hacks like this become feasible. I don't supply patches for stuff that removes things that the developers like because it's their baby, but open source means I get to run stuff how I like it; everyone gets what they want (as long as they can make trivial hacks) so everyone's happy. Since I patch anyway, it makes no difference to me -- I'd just remove the extra information. But I do think that people should think about how easy it is to target shell-code exploits with this sort of information given away. -- 2001: Blogging invented. Promises to change the way people bore strangers with banal anecdotes about their pets. <http://www.thelemon.net/issues/timeline.php>