[interchange-cvs] interchange - pajamian modified lib/Vend/Order.pm

interchange-cvs at icdevgroup.org interchange-cvs at icdevgroup.org
Fri Oct 24 10:11:35 UTC 2008


User:      pajamian
Date:      2008-10-24 10:11:35 GMT
Modified:  lib/Vend Order.pm
Log:
Fix vulnerability where a string passed in the mv_order_item CGI variable is
displayed verbatim without any input sanitation if there is a valid sku in
mv_sku.  Thanks to Mat from Bibliopolis for discovering and reporting the
vulnerability.

Revision  Changes    Path
2.103                interchange/lib/Vend/Order.pm


rev 2.103, prev_rev 2.102
Index: Order.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Order.pm,v
retrieving revision 2.102
retrieving revision 2.103
diff -u -r2.102 -r2.103
--- Order.pm	3 Oct 2008 15:55:40 -0000	2.102
+++ Order.pm	24 Oct 2008 10:11:35 -0000	2.103
@@ -1,6 +1,6 @@
 # Vend::Order - Interchange order routing routines
 #
-# $Id: Order.pm,v 2.102 2008-10-03 15:55:40 racke Exp $
+# $Id: Order.pm,v 2.103 2008-10-24 10:11:35 pajamian Exp $
 #
 # Copyright (C) 2002-2008 Interchange Development Group
 # Copyright (C) 1996-2002 Red Hat, Inc.
@@ -29,7 +29,7 @@
 package Vend::Order;
 require Exporter;
 
-$VERSION = substr(q$Revision: 2.102 $, 10);
+$VERSION = substr(q$Revision: 2.103 $, 10);
 
 @ISA = qw(Exporter);
 
@@ -2286,8 +2286,9 @@
 		for (@sku) {
 			$_ = $::Variable->{MV_VARIANT_JOINER} || '0' if ! length($_);
 		}
-		$skus[0]   = $items[0];
 		$items[0] = join '-', @sku;
+		my $sku_field = $Vend::Cfg->{Options_repository}{Matrix}->{sku} || 'sku';
+		$skus[0] = Vend::Data::product_field($sku_field, $items[0]);
 	}
 
 	if ($Vend::Cfg->{UseModifier}) {







More information about the interchange-cvs mailing list