[interchange-cvs] [SCM] Interchange branch, master, updated. REL_5_7_2-33-g771683c

David Christensen interchange-cvs at icdevgroup.org
Tue Nov 3 23:28:04 UTC 2009


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".

The branch, master has been updated
       via  771683c75afa3b492793d576e17187f1b6f92d6c (commit)
      from  d7fb15a9472c976f03f491aa19395c614cb38b0f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 771683c75afa3b492793d576e17187f1b6f92d6c
Author: David Christensen <david at endpoint.com>
Date:   Tue Nov 3 17:21:40 2009 -0600

    Remove the explicit display of an invalid user-provided session id
    
    Hypothetically, some stupid browsers could be coerced into doing
    Something Bad; in any case, it's cleaner to just exclude it from the
    output all together.
    
    Example URL:
    
    http://example.com/cgi-bin/catalog/catalogs.html?id=PMJCrmoJ%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
    
    Reported by Mat Jones.

-----------------------------------------------------------------------

Summary of changes and diff:
 lib/Vend/Dispatch.pm |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/Vend/Dispatch.pm b/lib/Vend/Dispatch.pm
index caf3415..243539a 100644
--- a/lib/Vend/Dispatch.pm
+++ b/lib/Vend/Dispatch.pm
@@ -1309,15 +1309,14 @@ sub dispatch {
 	elsif (! $::Instance->{ExternalCookie} and $sessionid !~ /^\w+$/) {
 		my $msg = get_locale_message(
 						403,
-						"Unauthorized for that session %s. Logged.",
-						$sessionid,
+						"Malformed session identifier",
 						);
 		$Vend::StatusLine = <<EOF;
 Status: 403 Unauthorized
 Content-Type: text/plain
 EOF
 		response($msg);
-		logGlobal($msg);
+		logGlobal("$msg: $sessionid");
 		close_cat();
 		return;
 	}


hooks/post-receive
-- 
Interchange



More information about the interchange-cvs mailing list