[interchange-cvs] [SCM] Interchange branch, STABLE_5_6-branch, updated. 061f546871ca9e245c5a7fbf89d5e9a226deacad
Stefan Hornburg
interchange-cvs at icdevgroup.org
Thu Aug 27 09:55:31 UTC 2009
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".
The branch, STABLE_5_6-branch has been updated
via 061f546871ca9e245c5a7fbf89d5e9a226deacad (commit)
from 4f6202c6361ec3f624bde8783813b65e4ff17564 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 061f546871ca9e245c5a7fbf89d5e9a226deacad
Author: Stefan Hornburg (Racke) <racke at linuxia.de>
Date: Thu Aug 27 11:54:41 2009 +0200
Fixed cross site scripting exploit in account creation (#306).
-----------------------------------------------------------------------
Summary of changes and diff:
WHATSNEW-5.6 | 2 ++
lib/Vend/UserDB.pm | 5 +++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/WHATSNEW-5.6 b/WHATSNEW-5.6
index bc9e4ac..ab271dc 100644
--- a/WHATSNEW-5.6
+++ b/WHATSNEW-5.6
@@ -34,6 +34,8 @@ Core
* Update broken getppid() detection for Perl 5.10.0.
+* Fixed cross site scripting exploit in account creation (#306).
+
Tags
----
diff --git a/lib/Vend/UserDB.pm b/lib/Vend/UserDB.pm
index a54b6ab..cc591aa 100644
--- a/lib/Vend/UserDB.pm
+++ b/lib/Vend/UserDB.pm
@@ -1695,8 +1695,9 @@ sub new_account {
$self->{USERNAME} = lc $self->{USERNAME}
if $self->{OPTIONS}{ignore_case};
}
- die errmsg("Can't have '%s' as username; it contains illegal characters.",
- $self->{USERNAME}) . "\n"
+ # plain error message without user-supplied username
+ # to avoid XSS exploit (RT #306)
+ die errmsg("Username contains illegal characters.")
if $self->{USERNAME} !~ m{^$self->{VALIDCHARS}+$};
die errmsg("Must have at least %s characters in username.",
$self->{USERMINLEN}) . "\n"
hooks/post-receive
--
Interchange
More information about the interchange-cvs
mailing list