[interchange-cvs] [SCM] Interchange branch, master, updated. e138fd2e4e35b633a56bf307fb51465be7a71053

Stefan Hornburg interchange-cvs at icdevgroup.org
Thu Aug 27 10:00:13 UTC 2009

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".

The branch, master has been updated
       via  e138fd2e4e35b633a56bf307fb51465be7a71053 (commit)
      from  092bd56ab8e25c4b436dc4c08db0f4e11c8dbb0a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit e138fd2e4e35b633a56bf307fb51465be7a71053
Author: Stefan Hornburg (Racke) <racke at linuxia.de>
Date:   Thu Aug 27 11:59:50 2009 +0200

    Fixed cross site scripting exploit in account creation (#306).


Summary of changes and diff:
 lib/Vend/UserDB.pm |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/Vend/UserDB.pm b/lib/Vend/UserDB.pm
index aa91f9e..f12bf12 100644
--- a/lib/Vend/UserDB.pm
+++ b/lib/Vend/UserDB.pm
@@ -1847,8 +1847,9 @@ sub new_account {
 			$self->{USERNAME} = lc $self->{USERNAME}
 				if $self->{OPTIONS}{ignore_case};
-		die errmsg("Can't have '%s' as username; it contains illegal characters.",
-			$self->{USERNAME}) . "\n"
+		# plain error message without user-supplied username
+		# to avoid XSS exploit (RT #306)
+		die errmsg("Username contains illegal characters.")
 			if $self->{USERNAME} !~ m{^$self->{VALIDCHARS}+$};
 		die errmsg("Must have at least %s characters in username.",
 			$self->{USERMINLEN}) . "\n"


More information about the interchange-cvs mailing list