Brian May writes:
> This patch however may not be complete. Doing a quick "grep get_rdn" I
> see one line that looks vulnerable still:
Now filed a bug with with upstream: https://sourceforge.net/p/lam/bugs/196/
--
Brian May
Brian May writes:
> Yes, agreed. Not a fan myself of this (outdated?) coding style,
> constructing HTML by hand like this is prone to errors like this. Easier
> to get it wrong then it is to get it right.
Also for the record, in 2006 I tested this package to fill requriments
by my employment at
Chris Lamb writes:
> Cool. Just confirming as changing it globally would, of course, avoid
> any potential missed call sites inside ldap-account-manager itself or
> anything that happened to call into it or use it as a library somehow.
Yes, agreed. Not a fan myself of this (outdated
rse, avoid
any potential missed call sites inside ldap-account-manager itself or
anything that happened to call into it or use it as a library somehow.
Thank you for checking. :)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
Chris Lamb writes:
> I assume that the get_rdn function cannot universally return with
> "htmlspecialchars" applied?
The results of get_rdn should only be quoted when the result is
displayed via HTML.
There are places in the code that use get_rdn in other ways, and these
are likely to break if
Chris Lamb writes:
> I assume that the get_rdn function cannot universally return with
> "htmlspecialchars" applied?
Good question. I suspect there is a good it was done this way, will
double check tomorrow.
> + * Non-maintainer upload by the LTS.
> ^
> Miss
Hi Brian,
I assume that the get_rdn function cannot universally return with
"htmlspecialchars" applied?
+ * Non-maintainer upload by the LTS.
^
Missing "team" ? :)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chr
esn't have CSRF
support. So I intend to mark this as not-affected. Although the absence
of CSRF support is probably a bigger issue then CSRF tokens in URLs, but
beyond the scope of wheezy LTS support.
Attached is my debdiff.
--
Brian May
diff -Nru ldap-account-manager-3.7/debian/changelog ld