[Bug 364949] Re: CVE-2009-0664 Cross-site scripting in user profile field and in text blocks
Steve Langasek
steve.langasek at canonical.com
Wed Apr 22 11:20:11 UTC 2009
Per discussion with Scott, the clamav-related change has been omitted
because it is not a correct fix for the problem in question. The reason
to escape the string is if you want to support characters that need
escaping, but this will always fail on the next line with the
file_exists() check. Either the escaping needs to be done in the right
place, or this should just be a check for illegal characters (i.e.,
verify that the filename is the same before and after escaping).
--
CVE-2009-0664 Cross-site scripting in user profile field and in text blocks
https://bugs.launchpad.net/bugs/364949
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list