[interchange-cvs] interchange - pajamian modified 2 files
interchange-cvs at icdevgroup.org
interchange-cvs at icdevgroup.org
Fri Oct 24 10:19:06 UTC 2008
User: pajamian
Date: 2008-10-24 10:19:06 GMT
Modified: . Tag: STABLE_5_6-branch WHATSNEW-5.6
Modified: lib/Vend Tag: STABLE_5_6-branch Order.pm
Log:
Fix vulnerability where a string passed in the mv_order_item CGI variable is
displayed verbatim without any input sanitation if there is a valid sku in
mv_sku. Thanks to Mat from Bibliopolis for discovering and reporting the
vulnerability.
Revision Changes Path
No revision
No revision
2.1.2.11 interchange/Attic/WHATSNEW-5.6
rev 2.1.2.11, prev_rev 2.1.2.10
Index: WHATSNEW-5.6
===================================================================
RCS file: /var/cvs/interchange/Attic/WHATSNEW-5.6,v
retrieving revision 2.1.2.10
retrieving revision 2.1.2.11
diff -u -r2.1.2.10 -r2.1.2.11
--- WHATSNEW-5.6 3 Oct 2008 15:52:38 -0000 2.1.2.10
+++ WHATSNEW-5.6 24 Oct 2008 10:19:06 -0000 2.1.2.11
@@ -32,6 +32,11 @@
Thanks to Mathew Jones for the report.
+* Fix vulnerability where a string passed in the mv_order_item CGI variable is
+ displayed verbatim without any input sanitation if there is a valid sku in
+ mv_sku. Thanks to Mat from Bibliopolis for discovering and reporting the
+ vulnerability.
+
Payment
-------
No revision
No revision
2.100.2.2 interchange/lib/Vend/Order.pm
rev 2.100.2.2, prev_rev 2.100.2.1
Index: Order.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Order.pm,v
retrieving revision 2.100.2.1
retrieving revision 2.100.2.2
diff -u -r2.100.2.1 -r2.100.2.2
--- Order.pm 3 Oct 2008 15:50:45 -0000 2.100.2.1
+++ Order.pm 24 Oct 2008 10:19:06 -0000 2.100.2.2
@@ -1,6 +1,6 @@
# Vend::Order - Interchange order routing routines
#
-# $Id: Order.pm,v 2.100.2.1 2008-10-03 15:50:45 racke Exp $
+# $Id: Order.pm,v 2.100.2.2 2008-10-24 10:19:06 pajamian Exp $
#
# Copyright (C) 2002-2008 Interchange Development Group
# Copyright (C) 1996-2002 Red Hat, Inc.
@@ -29,7 +29,7 @@
package Vend::Order;
require Exporter;
-$VERSION = substr(q$Revision: 2.100.2.1 $, 10);
+$VERSION = substr(q$Revision: 2.100.2.2 $, 10);
@ISA = qw(Exporter);
@@ -2325,8 +2325,9 @@
for (@sku) {
$_ = $::Variable->{MV_VARIANT_JOINER} || '0' if ! length($_);
}
- $skus[0] = $items[0];
$items[0] = join '-', @sku;
+ my $sku_field = $Vend::Cfg->{Options_repository}{Matrix}->{sku} || 'sku';
+ $skus[0] = Vend::Data::product_field($sku_field, $items[0]);
}
if ($Vend::Cfg->{UseModifier}) {
More information about the interchange-cvs
mailing list