Menu
▾
▴
[Slashcode-general] Security: add 'id' to filter_params
|
From: Jamie M. <ja...@mc...> - 2008-01-04 19:59:24
|
Whatever version of Slash you are running, please add 'id' to the list of numeric filtered parameters. This list can be found in the filter_params subroutine in Environment.pm. If you are on near-current code, you can just update to current code, it's in CVS. The (extremely simple) diff is here: <http://slashcode.cvs.sourceforge.net/slashcode/slash/Slash/Utility/Environ= ment/Environment.pm?r1=3D1.223&r2=3D1.224> diff -U3 -r1.223 -r1.224 --- Slash/Utility/Environment/Environment.pm 24 Oct 2007=20 21:19:34 -0000 1.223 +++ Slash/Utility/Environment/Environment.pm 4 Jan 2008=20 19:14:07 -0000 1.224 @@ -1823,7 +1823,7 @@ # fields that are numeric only my %nums =3D map {($_ =3D> 1)} qw( - approved artcount art_offset bseclev + approved artcount art_offset bseclev id buymore cid clbig clsmall cm_offset commentlimit commentsort commentspill del displaystatus limit You should also change the passwords for all your admin user accounts. We are working on a more complete writeup of this issue. That information will be posted to this mailing list on Monday morning, Jan. 7. It will also be posted to this slashcode.com story: http://www.slashcode.com/article.pl?sid=3D08/01/04/1950244 We post to slashcode.com infrequently, and when we do it's usually important. We recommend all site admins subscribe to its newsletter. Please go to <http://www.slashcode.com/my/messages> and make sure "Daily Newsletter" is set to "E-mail." --=20 Jamie McCarthy http://mccarthy.vg/ ja...@mc... |
