[interchange-cvs] interchange - pajamian modified 2 files

interchange-cvs at icdevgroup.org interchange-cvs at icdevgroup.org
Fri Oct 24 10:19:06 UTC 2008


User:      pajamian
Date:      2008-10-24 10:19:06 GMT
Modified:  .        Tag: STABLE_5_6-branch WHATSNEW-5.6
Modified:  lib/Vend Tag: STABLE_5_6-branch Order.pm
Log:
Fix vulnerability where a string passed in the mv_order_item CGI variable is
displayed verbatim without any input sanitation if there is a valid sku in
mv_sku.  Thanks to Mat from Bibliopolis for discovering and reporting the
vulnerability.

Revision  Changes    Path
No                   revision



No                   revision



2.1.2.11             interchange/Attic/WHATSNEW-5.6


rev 2.1.2.11, prev_rev 2.1.2.10
Index: WHATSNEW-5.6
===================================================================
RCS file: /var/cvs/interchange/Attic/WHATSNEW-5.6,v
retrieving revision 2.1.2.10
retrieving revision 2.1.2.11
diff -u -r2.1.2.10 -r2.1.2.11
--- WHATSNEW-5.6	3 Oct 2008 15:52:38 -0000	2.1.2.10
+++ WHATSNEW-5.6	24 Oct 2008 10:19:06 -0000	2.1.2.11
@@ -32,6 +32,11 @@
   
   Thanks to Mathew Jones for the report.
 
+* Fix vulnerability where a string passed in the mv_order_item CGI variable is
+  displayed verbatim without any input sanitation if there is a valid sku in
+  mv_sku.  Thanks to Mat from Bibliopolis for discovering and reporting the
+  vulnerability.
+
 Payment
 -------
 



No                   revision



No                   revision



2.100.2.2            interchange/lib/Vend/Order.pm


rev 2.100.2.2, prev_rev 2.100.2.1
Index: Order.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Order.pm,v
retrieving revision 2.100.2.1
retrieving revision 2.100.2.2
diff -u -r2.100.2.1 -r2.100.2.2
--- Order.pm	3 Oct 2008 15:50:45 -0000	2.100.2.1
+++ Order.pm	24 Oct 2008 10:19:06 -0000	2.100.2.2
@@ -1,6 +1,6 @@
 # Vend::Order - Interchange order routing routines
 #
-# $Id: Order.pm,v 2.100.2.1 2008-10-03 15:50:45 racke Exp $
+# $Id: Order.pm,v 2.100.2.2 2008-10-24 10:19:06 pajamian Exp $
 #
 # Copyright (C) 2002-2008 Interchange Development Group
 # Copyright (C) 1996-2002 Red Hat, Inc.
@@ -29,7 +29,7 @@
 package Vend::Order;
 require Exporter;
 
-$VERSION = substr(q$Revision: 2.100.2.1 $, 10);
+$VERSION = substr(q$Revision: 2.100.2.2 $, 10);
 
 @ISA = qw(Exporter);
 
@@ -2325,8 +2325,9 @@
 		for (@sku) {
 			$_ = $::Variable->{MV_VARIANT_JOINER} || '0' if ! length($_);
 		}
-		$skus[0]   = $items[0];
 		$items[0] = join '-', @sku;
+		my $sku_field = $Vend::Cfg->{Options_repository}{Matrix}->{sku} || 'sku';
+		$skus[0] = Vend::Data::product_field($sku_field, $items[0]);
 	}
 
 	if ($Vend::Cfg->{UseModifier}) {







More information about the interchange-cvs mailing list