If you
haven't received an answer yet...
(quoting Mike Heins)
[snip]
I do recognize the problem
with Util.pm, and have corrected it,
I believe.
I recommend all people remove view_page.html from their sites
and
apply this patch:
*** minivend-4.04/lib/Vend/Util.pm Wed Apr 12 11:07:04
2000
--- minivend-4.04a/lib/Vend/Util.pm Wed Jul 5 07:06:06
2000
*************** sub readfile {
*** 807,812 ****
--- 807,813 ----
return undef;
}
+ return undef if ! -f $file;
return undef if ! open(READIN, $file);
binmode(READIN) if $Global::Windows;
### END PATCH
If you need the functionality of view_page.html, you can
apply
this patch to close up the hole temporarily:
*** minivend-4.04/dist/simple/pages/view_page.html Thu Mar 9
14:08:17 2000
--- minivend-4.04a/dist/simple/pages/view_page.html Wed Jul 5
07:10:49 2000
***************
*** 1,7 ****
[new]
[if !session arg]
No argument given.
! [elsif session arg =~ /^\/|\.\./]
<H1>Why would you do something <FONT
COLOR=__CONTRAST__>naughty</FONT>like putting
a leading slash or a .. in your URL? HMM???? I will use a new
feature: Log("Attack from " . $Session->{remote_addr}). [mvasp] <%
Log($Session->{remote_addr}) %>[/mvasp]
[/elsif]
--- 1,7 ----
[new]
[if !session arg]
No argument given.
! [elsif session arg =~ /^\/|\.\.|\|/]
<H1>Why would you do something <FONT
COLOR=__CONTRAST__>naughty</FONT>like putting
a leading slash or a .. in your URL? HMM???? I will use a new
feature: Log("Attack from " . $Session->{remote_addr}). [mvasp] <%
Log($Session->{remote_addr}) %>[/mvasp]
[/elsif]
