Hi Thomas, * Thomas Bläsing <[EMAIL PROTECTED]> [2008-08-08 12:13]: > On Thu, Aug 07, 2008 at 05:40:08PM +1000, Steffen Joeris wrote: > > I've attached the part from the upsteam VCS, which should address this XSS. > > Upstream confirmed this via private email. I am still looking into #493372, > > but it seems that unstable and testing are already fixed. > No, there is no fix in unstable and testing, because the used version is > also 0.95-1 and there isn't the patch included - I checked it again today.
I think you misunderstood what Steffen wrote here..
> But if the maintainer fixes the #493372 they will also fix this bug within the
> upstream patch, I think, and so it's not very important to discuss it anymore,
> because it's just a XSS issue which isn't an very hard bug :)
I don't think this is the case. The patch in 493372 does
only escape ingle quote ('), double quote ("), backslash (\)
and NUL on registration, the XSS should be still possible.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpHGEOIBhpe2.pgp
Description: PGP signature
