[gentoo-commits] gentoo-x86 commit in www-apps/mantisbt/files: mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch digest-mantisbt-1.0.8-r1 - gentoo-commits

From:	"Peter Volkov (pva)" <pva@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in www-apps/mantisbt/files: mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch digest-mantisbt-1.0.8-r1
Date:	Sun, 30 Dec 2007 19:17:42
Message-Id:	`E1J93fF-00065L-GK@stork.gentoo.org`

1

pva         07/12/30 19:17:37

2

3

  Added:                mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch

4

                        digest-mantisbt-1.0.8-r1

5

  Log:

6

  Fixes "Upload File" Script Insertion Vulnerability, bug 203791, reported by Pierre-Yves Rofes <py AT gentoo.org>.

7

  (Portage version: 2.1.4_rc11)

8

9

Revision  Changes    Path

10

1.1                  www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch

11

12

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch?rev=1.1&view=markup

13

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch?rev=1.1&content-type=text/plain

14

15

Index: mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch

16

===================================================================

17

Index: core/file_api.php

18

===================================================================

19

--- core/file_api.php	(リビジョン 4833)

20

+++ core/file_api.php	(作業コピー)

21

@@ -163,7 +163,7 @@

22

 			$row = $t_attachment_rows[$i];

23

 			extract( $row, EXTR_PREFIX_ALL, 'v' );

24

25

-			$t_file_display_name = file_get_display_name( $v_filename );

26

+			$t_file_display_name = string_html_specialchars( file_get_display_name( $v_filename ) );

27

 			$t_filesize		= number_format( $v_filesize );

28

 			$t_date_added	= date( config_get( 'normal_date_format' ), db_unixtimestamp( $v_date_added ) );

1.1                  www-apps/mantisbt/files/digest-mantisbt-1.0.8-r1

34

35

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/digest-mantisbt-1.0.8-r1?rev=1.1&view=markup

36

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/digest-mantisbt-1.0.8-r1?rev=1.1&content-type=text/plain

37

38

Index: digest-mantisbt-1.0.8-r1

39

===================================================================

40

MD5 fab90748346fe9a8276a71f59c1a245a mantis-1.0.8.tar.gz 1549854

41

RMD160 02e349a05d8d5c190d943ee4dc430a6adaffe1a0 mantis-1.0.8.tar.gz 1549854

42

SHA256 c22a3ad2f532addc70f8f266c83a360dfea685de79ebf713801b3f4fb556b501 mantis-1.0.8.tar.gz 1549854

--

47

gentoo-commits@g.o mailing list

1	pva 07/12/30 19:17:37
2
3	Added: mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch
4	digest-mantisbt-1.0.8-r1
5	Log:
6	Fixes "Upload File" Script Insertion Vulnerability, bug 203791, reported by Pierre-Yves Rofes <py AT gentoo.org>.
7	(Portage version: 2.1.4_rc11)
8
9	Revision Changes Path
10	1.1 www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch
11
12	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch?rev=1.1&view=markup
13	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch?rev=1.1&content-type=text/plain
14
15	Index: mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch
16	===================================================================
17	Index: core/file_api.php
18	===================================================================
19	--- core/file_api.php (リビジョン 4833)
20	+++ core/file_api.php (作業コピー)
21	@@ -163,7 +163,7 @@
22	$row = $t_attachment_rows[$i];
23	extract( $row, EXTR_PREFIX_ALL, 'v' );
24
25	- $t_file_display_name = file_get_display_name( $v_filename );
26	+ $t_file_display_name = string_html_specialchars( file_get_display_name( $v_filename ) );
27	$t_filesize = number_format( $v_filesize );
28	$t_date_added = date( config_get( 'normal_date_format' ), db_unixtimestamp( $v_date_added ) );
29
30
31
32
33	1.1 www-apps/mantisbt/files/digest-mantisbt-1.0.8-r1
34
35	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/digest-mantisbt-1.0.8-r1?rev=1.1&view=markup
36	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/digest-mantisbt-1.0.8-r1?rev=1.1&content-type=text/plain
37
38	Index: digest-mantisbt-1.0.8-r1
39	===================================================================
40	MD5 fab90748346fe9a8276a71f59c1a245a mantis-1.0.8.tar.gz 1549854
41	RMD160 02e349a05d8d5c190d943ee4dc430a6adaffe1a0 mantis-1.0.8.tar.gz 1549854
42	SHA256 c22a3ad2f532addc70f8f266c83a360dfea685de79ebf713801b3f4fb556b501 mantis-1.0.8.tar.gz 1549854
43
44
45
46	--
47	gentoo-commits@g.o mailing list

Gentoo Archives: gentoo-commits