Apologies--my previous message included a broken patch from an
earlier attempt rather than the current one. Here is what I'm
presently using on my sytems:


--- /usr/share/ajaxterm/ajaxterm.js     2009-02-17 13:40:43.000000000 +0000
+++ ajaxterm.js 2009-05-17 20:15:16.000000000 +0000
@@ -3,7 +3,16 @@
        var ie=0;
        if(window.ActiveXObject)
                ie=1;
-       var sid=""+Math.round(Math.random()*1000000000);
+
+       // mitigate CVE-2009-1629
+       var sid_arr = (
+               "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+       ).split("");
+       var sid = "";
+       for (sid_inc = 0 ; sid_inc < 9 ; sid_inc++){
+               sid += sid_arr[Math.floor(Math.random()*sid_arr.length)];
+       }
+
        var query0="s="+sid+"&w="+width+"&h="+height;
        var query1=query0+"&c=1&k=";
        var buf="";


Sorry for the confusion!
-- 
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fu...@yuggoth.org); IRC(fu...@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fu...@yuggoth.org);
MUD(fu...@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to