[interchange-cvs] [SCM] Interchange branch, master, updated. REL_5_7_2-36-g42377c5
Stefan Hornburg
interchange-cvs at icdevgroup.org
Thu Nov 5 17:30:23 UTC 2009
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".
The branch, master has been updated
via 42377c51c4a1ed925a528d0f32d1838e342c8ada (commit)
via 90d447b0ca2bd800ab3a7add9545887c3e95d8b8 (commit)
from acf8d6506bb79904827f7821793b229bc04237fe (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 42377c51c4a1ed925a528d0f32d1838e342c8ada
Merge: 90d447b0ca2bd800ab3a7add9545887c3e95d8b8 acf8d6506bb79904827f7821793b229bc04237fe
Author: Stefan Hornburg (Racke) <racke at linuxia.de>
Date: Thu Nov 5 18:30:01 2009 +0100
Merge branch 'master' of ssh://git.icdevgroup.org/var/git/interchange
commit 90d447b0ca2bd800ab3a7add9545887c3e95d8b8
Author: Stefan Hornburg (Racke) <racke at linuxia.de>
Date: Thu Nov 5 18:19:20 2009 +0100
avoid XSS exploit reported by Justin Otten
-----------------------------------------------------------------------
Summary of changes and diff:
lib/Vend/Error.pm | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/lib/Vend/Error.pm b/lib/Vend/Error.pm
index 4a1f352..79df7a1 100644
--- a/lib/Vend/Error.pm
+++ b/lib/Vend/Error.pm
@@ -79,6 +79,11 @@ sub interaction_error {
logError( "Difficulty interacting with browser: %s", $msg );
+ # avoid XSS problem
+ if ($msg !~ /^[\w\s\.]+$/) {
+ $msg = 'Invalid CGI input.';
+ }
+
$page = readin(find_special_page('interact'));
if (defined $page) {
$page =~ s#\[message\]#$msg#ig;
hooks/post-receive
--
Interchange
More information about the interchange-cvs
mailing list