|
|
|
|
If you haven't received an answer yet... (quoting Mike Heins) [snip] I do recognize the problem with Util.pm, and have corrected it, I believe. I recommend all people remove view_page.html from their sites and apply this patch: *** minivend-4.04/lib/Vend/Util.pm Wed Apr 12 11:07:04 2000 --- minivend-4.04a/lib/Vend/Util.pm Wed Jul 5 07:06:06 2000 *************** sub readfile { *** 807,812 **** --- 807,813 ---- return undef; } + return undef if ! -f $file; return undef if ! open(READIN, $file); binmode(READIN) if $Global::Windows; ### END PATCH If you need the functionality of view_page.html, you can apply this patch to close up the hole temporarily: *** minivend-4.04/dist/simple/pages/view_page.html Thu Mar 9 14:08:17 2000 --- minivend-4.04a/dist/simple/pages/view_page.html Wed Jul 5 07:10:49 2000 *************** *** 1,7 **** [new] [if !session arg] No argument given. ! [elsif session arg =~ /^\/|\.\./] <H1>Why would you do something <FONT COLOR=__CONTRAST__>naughty</FONT>like putting a leading slash or a .. in your URL? HMM???? I will use a new feature: Log("Attack from " . $Session->{remote_addr}). [mvasp] <% Log($Session->{remote_addr}) %>[/mvasp] [/elsif] --- 1,7 ---- [new] [if !session arg] No argument given. ! [elsif session arg =~ /^\/|\.\.|\|/] <H1>Why would you do something <FONT COLOR=__CONTRAST__>naughty</FONT>like putting a leading slash or a .. in your URL? HMM???? I will use a new feature: Log("Attack from " . $Session->{remote_addr}). [mvasp] <% Log($Session->{remote_addr}) %>[/mvasp] [/elsif]
|