[Koha-bugs] [Bug 6629] [security] insecure use of Cookie for language selection
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Nov 25 19:16:25 CET 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629
--- Comment #18 from Chris Cormack <chris at bigballofwax.co.nz> 2011-11-25 18:16:25 UTC ---
The patch as its stands prevents file traversal, you could only read a file in
the current dir with it, but yes you are right g is better. It turns out master
and 3.6 are not vulnerable anyway, as if the value of $lang does not match a
valid lanuage, it is made undef.
So I will do new patches for 3.2.x and 3.4.x
So to be clear on 3.4.6 and lower are vulnerable. 3.6.0 and master are not.
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list