From: alex <al...@ya...> - 2002-02-22 10:35:07
|
At 23:18 13/02/2002, Brock Wolfe wrote: > > Based on the notice to apply the upgrade to my 2.0.0 slash site > > http://slashcode.com/article.pl?sid=02/02/07/1624221&mode=flat&tid=4 I can't see anyone posting a reply to this but yes - you seem to be right. The patch is not applicable. I suggest that you just edit Utility.pm manually and add in the line > formkey => sub { $_[0] =~ s|[^A-Za-z0-9]||g }, in the appropriate place. (Don't include the plus sign). If you are really keen you should remove line > Slash/Utility/Utility.pm 2001/05/07 17:59:57 1.10 and replace it with > Slash/Utility/Utility.pm 2002/02/07 15:39:15 That is all that patch would do anyway. Hopefully you have figured this out already. I must say the wording of the original article was very poor - I thought for ages that this security problem did *not* apply to version 2.0.0 > diff -U3 -r1.10 Utility.pm > --- Slash/Utility/Utility.pm 2001/05/07 17:59:57 1.10 > +++ Slash/Utility/Utility.pm 2002/02/07 15:39:15 > @@ -2531,6 +2531,7 @@ > # special few > my %special = ( > sid => sub { $_[0] =~ s|[^A-Za-z0-9/._]||g }, > + formkey => sub { $_[0] =~ s|[^A-Za-z0-9]||g }, > ); > # qid is same as sid > $special{qid} = $special{sid}; Alex |