OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 23-Jan-2003 11:37:14 Branch: HEAD Handle: 2003012310371300 Modified files: openpkg-web Makefile page.inc petidomo.cgi security.txt Log: flush pending changes Summary: Revision Changes Path 1.13 +1 -1 openpkg-web/Makefile 1.30 +1 -1 openpkg-web/page.inc 1.3 +10 -3 openpkg-web/petidomo.cgi 1.15 +1 -1 openpkg-web/security.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-web/Makefile ============================================================================ $ cvs diff -u -r1.12 -r1.13 Makefile --- openpkg-web/Makefile 22 Jan 2003 13:12:53 -0000 1.12 +++ openpkg-web/Makefile 23 Jan 2003 10:37:13 -0000 1.13 @@ -46,7 +46,7 @@ wmk -f related.wml support.html: support.wml wmk -f support.wml -security.html: security.wml +security.html: security.wml security.txt wmk -f security.wml bugdb.html: bugdb.wml wmk -f bugdb.wml @@ . patch -p0 <<'@@ .' Index: openpkg-web/page.inc ============================================================================ $ cvs diff -u -r1.29 -r1.30 page.inc --- openpkg-web/page.inc 22 Jan 2003 13:12:54 -0000 1.29 +++ openpkg-web/page.inc 23 Jan 2003 10:37:13 -0000 1.30 @@ -52,7 +52,7 @@ FONT,UL,OL,LI FORM,INPUT, BLOCKQUOTE,A,I,B,EM { font-family: helvetica,lucida,arial,sans-serif; } -TT,CODE,SAMP,PRE { font-family: courier,courier-new,terminal,fixed,monospace; font-size: 90%; } +TT,CODE,SAMP,PRE { font-family: courier,courier-new,terminal,fixed,monospace; font-size: 100%; } A { text-decoration: none; font-weight: bold; } A:link { text-decoration: none; font-weight: bold; color: #a09080; } A:visited { text-decoration: none; font-weight: bold; color: #a09080; } @@ . patch -p0 <<'@@ .' Index: openpkg-web/petidomo.cgi ============================================================================ $ cvs diff -u -r1.2 -r1.3 petidomo.cgi --- openpkg-web/petidomo.cgi 22 Nov 2001 16:55:58 -0000 1.2 +++ openpkg-web/petidomo.cgi 23 Jan 2003 10:37:13 -0000 1.3 @@ -48,15 +48,22 @@ else { $qs{$name} = $value; } + # prevent cross side scripting (XSS) attacks + $qs{$name} =~ s/&/&/sg; + $qs{$name} =~ s/</</sg; + $qs{$name} =~ s/>/>/sg; + $qs{$name} =~ s/\(/(/sg; + $qs{$name} =~ s/\)/)/sg; + $qs{$name} =~ s/#/#/sg; } # check for parameter consistency -die "You supplied to Email address." +die "You supplied no Email address." if ($qs{email} eq ''); die "Hmmm... <tt>your\@address.dom</tt> is certainly not correct, Dude." if ($qs{email} eq '[EMAIL PROTECTED]'); die "Hmmm... <tt>$qs{email}</tt> doesn't look like a valid RFC822 mail address." - if ($qs{email} !~ m|.+@.+|); + if ($qs{email} !~ m|^[a-zA-Z0-9_=%,.~+-]+@([a-zA-Z0-9]+)(\.[a-zA-Z0-9]+)*$|); die "At least one list has to be selected." if ($qs{list} eq ''); die "At least one action has to be selected." @@ -91,7 +98,7 @@ "Ok, the ingredients of the form were successfully parsed " . "and forwarded to Petidomo via Email in the following format:" . "<p>" . - "<table cellpadding=5 bgcolor=\"#f0f0f0\"><tr><td>" . + "<table cellpadding=5 bgcolor=\"#e5e0d5\"><tr><td>" . "<pre>$mail</pre>\n" . "</td></tr></table>" . "<p>" . @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.txt ============================================================================ $ cvs diff -u -r1.14 -r1.15 security.txt --- openpkg-web/security.txt 22 Jan 2003 16:04:53 -0000 1.14 +++ openpkg-web/security.txt 23 Jan 2003 10:37:13 -0000 1.15 @@ -1,4 +1,4 @@ -22-Jan-2003: Security Advisory: S<OpenPKG-SA-2003.006-python> +23-Jan-2003: Security Advisory: S<OpenPKG-SA-2003.006-python> 22-Jan-2003: Security Advisory: S<OpenPKG-SA-2003.005-php> 21-Jan-2003: Security Advisory: S<OpenPKG-SA-2003.004-cvs> 21-Jan-2003: Security Advisory: S<OpenPKG-SA-2003.003-vim> @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]