On 23 Oct 2008, at 19:55, Louis-David Mitterrand wrote:
On Thu, Oct 23, 2008 at 05:11:27PM +0200, Aristotle Pagaltzis wrote:
* Louis-David Mitterrand vindex+lists-markdown-
[EMAIL PROTECTED] [2008-10-23 13:55]:
What is the fix?
You have to patch Text::Markdown to add that line to the block
the regex is in. I see you have already filed a bug against
Text::Markdown, excellent.
Wouldn't a better fix be to remove the vulnerability from the regex?
In other words isn't use re 'eval'; weakening the module's security?
In this case, no, it isn't - as the string being interpolated into
the regex is another (static) chunk of pre-compiled regex.
I've released Text::Markdown 1.0.22 this evening, which corrects
this, and another bug.
Cheers
t0m
___
Markdown-Discuss mailing list
Markdown-Discuss@six.pairlist.net
http://six.pairlist.net/mailman/listinfo/markdown-discuss