Brian May writes:
> This patch however may not be complete. Doing a quick "grep get_rdn" I
> see one line that looks vulnerable still:
Now filed a bug with with upstream: https://sourceforge.net/p/lam/bugs/196/
--
Brian May
Brian May writes:
> Yes, agreed. Not a fan myself of this (outdated?) coding style,
> constructing HTML by hand like this is prone to errors like this. Easier
> to get it wrong then it is to get it right.
Also for the record, in 2006 I tested this package to fill requriments
by my employment at
Chris Lamb writes:
> Cool. Just confirming as changing it globally would, of course, avoid
> any potential missed call sites inside ldap-account-manager itself or
> anything that happened to call into it or use it as a library somehow.
Yes, agreed. Not a fan myself of this (outdated?) coding sty
Hi Brian,
> > I assume that the get_rdn function cannot universally return with
> > "htmlspecialchars" applied?
>
> The results of get_rdn should only be quoted when the result is
> displayed via HTML.
Cool. Just confirming as changing it globally would, of course, avoid
any potential missed cal
Chris Lamb writes:
> I assume that the get_rdn function cannot universally return with
> "htmlspecialchars" applied?
The results of get_rdn should only be quoted when the result is
displayed via HTML.
There are places in the code that use get_rdn in other ways, and these
are likely to break if