From: Marc G. K. <ma...@it...> - 2002-12-05 18:32:51
|
Christian Hammers zei: > Hello > > Quoting Thijs Kinkhorst <lists@ki...> >> I would like it if Martin Schulze of Debian had informed us of his >> patch, that is considered good practice in the open source world: if you >> fix something, let the developers know so it can be fixed upstream. > > I just mailed with Martin and he told me that he did inform the > squirrelmailteam. A Jason Munro outet himself on BugTraq as squirrelmail > upstream member and answered to the mail from DarC KonQuest. Martin > mailed him (and asked me to quote it here): > > ------ > Date: Sun, 27 Oct 2002 20:56:25 +0100 > From: Martin Schulze <jo...@in...> > To: Jason Munro <ja...@st...> > > Ok, I finally found > > strip_tags($_SERVER['PHP_SELF']); > > in global.php. > > However, shouldn't this read > > $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); > > in order to be useful? > ------ > > So Debian behaved corrrectly, I guess :-) > > bye, > > -christian- > Probably, but the fix does not solve the "exploit" in case of urlencoded tags. $_SERVER['PHP_SELF'] = urlencode(strip_tags(urldecode($_SERVER['PHP_SELF']))); is a better fix. Regards, Marc Groot Koerkamp. |