Quoting Carlo Marcelo Arenas Belon <[EMAIL PROTECTED]>:
Greetings, while looking at a diff between the 3.0.x branch and trunk for the web frontend noticed the following snippet (htmlentities is missing in 3.0.x) : @@ -331,7 +330,7 @@ header ("Pragma: no-cache"); // HTTP/1.0 if ($debug) { header ("Content-type: text/html"); - print "$command\n\n\n\n\n"; + print htmlentities( $command ) . "\n\n\n\n\n"; } else { header ("Content-type: image/gif");I understand that $debug has been hardcoded to disable it in graph.php so thiscode path should never be exercised, but was still curious about why thissnippet wasn't included in 3.0.6 anyway with all the other XSS fixes if it wasapplied to trunk and obviously available together with all the other changes. anyone could elaborate on the rationale behind that? and since 3.0.7 is going to be released soon could we just add it as well there for consistency? Carlo
When I started the XSS patches, I did them against trunk, not realizing that it was the 30-beta branch that was actually going into the release. I reapplied the changes I made in trunk to the 30-beta branch, and sent a patch to Bernard.
Inbetween the two sets of changes, I realized (as you pointed out) that $debug is hardwired to be off, so this particular one wasn't on my list of changes to reapply to 30-beta. Sorry for the inconsistency.
Patch attached for 30-beta to resolve the issue. alex
30-beta-graph-debug-htmlentities.patch.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
