This is a pretty worrying 'fix'. The Foswiki guys analysed the situation, and felt that changing URLPARAM as twiki did was not addressing the issue at all (and I agree). What they did was to change the code to default to a safe encoding, and to then allow the user to optionally request different versions of it.
This still involves changing some topics though :/ Sven Olivier Berger wrote: > Hi. > > I've had a look at this one bug, but it may not be easy to fix, I'm > afraid, as we're not in sync with upstream's latest version. > > It seems only some of the occurences of URLPARAM need to be fixed (those > inside forms POSTed, IIRC). The hard thing is to identify them. Maybe > some merging between current versions in Debian, upstream's previous one > and upstream's latest ? > > Also there's the problem of updating the installed topics files for > running TWikis. > > Any comments much welcome. > > Best regards, > > Le mardi 09 décembre 2008 à 10:54 +0000, Dominic Hargreaves a écrit : > > >> Please see >> <http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5304> >> for details of an XSS vulnerability affecting 4.1.2. >> >> Thanks, >> Dominic. >> >> >> >> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
