Slashcode Log In
Slash 2.2.5 Released
Slash 2.2.5 is released. It is strongly recommended that you
upgrade from version 2.2.0 through 2.2.4. This release fixes a
cross-site scripting vulnerability which could be used to obtain
passwords or other private information from both users and admins.
Download it via HTTP or FTP, and read the README and changelog.
To upgrade from 2.2.x, unpack the 2.2.5 tarball and "make install," then restart Apache and the slashd daemon.
Upgrading from 2.2.2 also entails some extremely minor SQL changes; from 2.2.1 you must update the template header;misc;default; from 2.2.0 also update the template displayForm;submit;default; from 2.2.4, update the template messages;users;default.
Earlier versions of Slash are also affected; if you are running 1.0.x or 2.0.x and are unable to upgrade to 2.2.5, read on for patches.
Here is the patch for Slash 1.0.x:
--- Slash.pm.orig Thu Feb 7 10:23:29 2002
+++ Slash.pm Thu Feb 7 10:09:40 2002
@@ -149,6 +149,7 @@
# special few
my %special = (
sid => sub { $_[0] =~ s|[^A-Za-z0-9/.]||g },
+ formkey => sub { $_[0] =~ s|[^A-Za-z0-9]||g },
);
for ($I{query}->param) {
And here is the patch for Slash 2.0.x:
diff -U3 -r1.10 Utility.pm
--- Slash/Utility/Utility.pm 2001/05/07 17:59:57 1.10
+++ Slash/Utility/Utility.pm 2002/02/07 15:39:15
@@ -2531,6 +2531,7 @@
# special few
my %special = (
sid => sub { $_[0] =~ s|[^A-Za-z0-9/._]||g },
+ formkey => sub { $_[0] =~ s|[^A-Za-z0-9]||g },
);
# qid is same as sid
$special{qid} = $special{sid};
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Pretty seemless (Score:1)
Re:Pretty seemless (Score:2)
lottadot [lottadot.com]