[interchange-cvs] [SCM] Interchange branch, STABLE_5_6-branch, updated. 061f546871ca9e245c5a7fbf89d5e9a226deacad

Stefan Hornburg interchange-cvs at icdevgroup.org
Thu Aug 27 09:55:31 UTC 2009 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".

The branch, STABLE_5_6-branch has been updated
       via  061f546871ca9e245c5a7fbf89d5e9a226deacad (commit)
      from  4f6202c6361ec3f624bde8783813b65e4ff17564 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 061f546871ca9e245c5a7fbf89d5e9a226deacad
Author: Stefan Hornburg (Racke) <racke at linuxia.de>
Date:   Thu Aug 27 11:54:41 2009 +0200

    Fixed cross site scripting exploit in account creation (#306).

-----------------------------------------------------------------------

Summary of changes and diff:
 WHATSNEW-5.6       |    2 ++
 lib/Vend/UserDB.pm |    5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/WHATSNEW-5.6 b/WHATSNEW-5.6
index bc9e4ac..ab271dc 100644
--- a/WHATSNEW-5.6
+++ b/WHATSNEW-5.6
@@ -34,6 +34,8 @@ Core
 
 * Update broken getppid() detection for Perl 5.10.0.
 
+* Fixed cross site scripting exploit in account creation (#306).
+
 Tags
 ----
 
diff --git a/lib/Vend/UserDB.pm b/lib/Vend/UserDB.pm
index a54b6ab..cc591aa 100644
--- a/lib/Vend/UserDB.pm
+++ b/lib/Vend/UserDB.pm
@@ -1695,8 +1695,9 @@ sub new_account {
 			$self->{USERNAME} = lc $self->{USERNAME}
 				if $self->{OPTIONS}{ignore_case};
 		}
-		die errmsg("Can't have '%s' as username; it contains illegal characters.",
-			$self->{USERNAME}) . "\n"
+		# plain error message without user-supplied username
+		# to avoid XSS exploit (RT #306)
+		die errmsg("Username contains illegal characters.")
 			if $self->{USERNAME} !~ m{^$self->{VALIDCHARS}+$};
 		die errmsg("Must have at least %s characters in username.",
 			$self->{USERMINLEN}) . "\n"


hooks/post-receive
-- 
Interchange

More information about the interchange-cvs mailing list