[interchange-bugs] [rt.icdevgroup.org #306] [Comment] XSS Exploit in demo -- UserDB.pm
Gert van der Spoel via RT
interchange-comment at rt.icdevgroup.org
Mon Feb 28 08:21:52 UTC 2011
http://rt.icdevgroup.org/Ticket/Display.html?id=306
This is a comment. It is not sent to the Requestor(s):
patched:
diff --git a/lib/Vend/UserDB.pm b/lib/Vend/UserDB.pm
index 0f5f1f5..f74af93 100644
--- a/lib/Vend/UserDB.pm
+++ b/lib/Vend/UserDB.pm
@@ -1828,7 +1828,7 @@ sub new_account {
}
# plain error message without user-supplied username
# to avoid XSS exploit (RT #306)
- die errmsg("Username contains illegal characters.\n")
+ die errmsg("Username contains illegal characters.") . "\n"
if $self->{USERNAME} !~ m{^$self->{VALIDCHARS}+$};
die errmsg("Must have at least %s characters in username.",
$self->{USERMINLEN}) . "\n"
@@ -1836,7 +1836,7 @@ sub new_account {
if($self->{OPTIONS}{captcha}) {
my $status = Vend::Tags->captcha( { function => 'check'
- die errmsg("Must input captcha code correctly.\n")
+ die errmsg("Must input captcha code correctly.") . "\n"
unless $status;
}
More information about the interchange-bugs
mailing list