http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #18 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 18:16:25 UTC --- The patch as its stands prevents file traversal, you could only read a file in the current dir with it, but yes you are right g is better. It turns out master and 3.6 are not vulnerable anyway, as if the value of $lang does not match a valid lanuage, it is made undef. So I will do new patches for 3.2.x and 3.4.x So to be clear on 3.4.6 and lower are vulnerable. 3.6.0 and master are not. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.