[interchange-cvs] [SCM] Interchange branch, master, updated. REL_5_7_2-33-g771683c
David Christensen
interchange-cvs at icdevgroup.org
Tue Nov 3 23:28:04 UTC 2009
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".
The branch, master has been updated
via 771683c75afa3b492793d576e17187f1b6f92d6c (commit)
from d7fb15a9472c976f03f491aa19395c614cb38b0f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 771683c75afa3b492793d576e17187f1b6f92d6c
Author: David Christensen <david at endpoint.com>
Date: Tue Nov 3 17:21:40 2009 -0600
Remove the explicit display of an invalid user-provided session id
Hypothetically, some stupid browsers could be coerced into doing
Something Bad; in any case, it's cleaner to just exclude it from the
output all together.
Example URL:
http://example.com/cgi-bin/catalog/catalogs.html?id=PMJCrmoJ%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
Reported by Mat Jones.
-----------------------------------------------------------------------
Summary of changes and diff:
lib/Vend/Dispatch.pm | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/lib/Vend/Dispatch.pm b/lib/Vend/Dispatch.pm
index caf3415..243539a 100644
--- a/lib/Vend/Dispatch.pm
+++ b/lib/Vend/Dispatch.pm
@@ -1309,15 +1309,14 @@ sub dispatch {
elsif (! $::Instance->{ExternalCookie} and $sessionid !~ /^\w+$/) {
my $msg = get_locale_message(
403,
- "Unauthorized for that session %s. Logged.",
- $sessionid,
+ "Malformed session identifier",
);
$Vend::StatusLine = <<EOF;
Status: 403 Unauthorized
Content-Type: text/plain
EOF
response($msg);
- logGlobal($msg);
+ logGlobal("$msg: $sessionid");
close_cat();
return;
}
hooks/post-receive
--
Interchange
More information about the interchange-cvs
mailing list