On 26/04/12 00:56, Mike Gabriel wrote: > ... the shellarg escaping has been completely > removed from the hook handling again.
> For 2.6.12 I find this page: > https://oss.gonicus.de/labs/gosa/browser/trunk/gosa-core/html/password.php?rev=20607 I don't know what is the purpose of that code, or why it is okay not to escape passwords there... But the (very similar) code relevant to the Debian Edu issue is in a different file: https://oss.gonicus.de/labs/gosa/changeset/19466/trunk/gosa-core/include/functions.inc The latest version in SVN still escapes the password there, as I think it should do. The change was introduced in the 2.6.12 release. I think maybe Squeeze should cherry-pick that commit for s-p-u but I haven't been able to set up a test installation to try this yet. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f994ce2.4070...@pyro.eu.org
