On Sep 28, 2009, at 2:53 PM, mr.freeze wrote: > > Can we just replace gluon.contrib.markdown2.py or were there other > changes? Trying to avoid an upgrade on my live sites.
That seems to be the only change (well, and the version number). > > On Sep 28, 4:42 pm, Massimo Di Pierro <mdipie...@cs.depaul.edu> wrote: >> As you may know reddit.com was attacked recently. Today the explained >> what happened: >> >> http://blog.reddit.com/2009/09/we-had-some-bugs-and-it-hurt-us.html >> >> They had two problems, one in their code and one in the markdown >> code. >> The latter is the same library we include in web2py/gluon/contrib/ >> markdown/markdown2.py. >> >> This means web2py code using the WIKI helper is vulnerable to a XSS >> injection. >> >> This has been fixed in trunk and I also posted web2py 1.67.2 >> >> please upgrade immediately. >> >> The vulnerability will affect other frameworks that use markdown. > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
