[interchange-cvs] [SCM] Interchange branch, master, updated. REL_5_7_2-36-g42377c5

[Stefan Hornburg]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".

The branch, master has been updated
       via  42377c51c4a1ed925a528d0f32d1838e342c8ada (commit)
       via  90d447b0ca2bd800ab3a7add9545887c3e95d8b8 (commit)
      from  acf8d6506bb79904827f7821793b229bc04237fe (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 42377c51c4a1ed925a528d0f32d1838e342c8ada
Merge: 90d447b0ca2bd800ab3a7add9545887c3e95d8b8 acf8d6506bb79904827f7821793b229bc04237fe
Author: Stefan Hornburg (Racke) <racke at linuxia.de>
Date:   Thu Nov 5 18:30:01 2009 +0100

    Merge branch 'master' of ssh://git.icdevgroup.org/var/git/interchange

commit 90d447b0ca2bd800ab3a7add9545887c3e95d8b8
Author: Stefan Hornburg (Racke) <racke at linuxia.de>
Date:   Thu Nov 5 18:19:20 2009 +0100

    avoid XSS exploit reported by Justin Otten

-----------------------------------------------------------------------

Summary of changes and diff:
 lib/Vend/Error.pm |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/lib/Vend/Error.pm b/lib/Vend/Error.pm
index 4a1f352..79df7a1 100644
--- a/lib/Vend/Error.pm
+++ b/lib/Vend/Error.pm
@@ -79,6 +79,11 @@ sub interaction_error {
 
     logError( "Difficulty interacting with browser: %s", $msg );
 
+	# avoid XSS problem
+	if ($msg !~ /^[\w\s\.]+$/) {
+		$msg = 'Invalid CGI input.';
+	}
+	
     $page = readin(find_special_page('interact'));
     if (defined $page) {
 		$page =~ s#\[message\]#$msg#ig;


hooks/post-receive
-- 
Interchange