Apologies--my previous message included a broken patch from an
earlier attempt rather than the current one. Here is what I'm
presently using on my sytems:
--- /usr/share/ajaxterm/ajaxterm.js 2009-02-17 13:40:43.000000000 +0000
+++ ajaxterm.js 2009-05-17 20:15:16.000000000 +0000
@@ -3,7 +3,16 @@
var ie=0;
if(window.ActiveXObject)
ie=1;
- var sid=""+Math.round(Math.random()*1000000000);
+
+ // mitigate CVE-2009-1629
+ var sid_arr = (
+ "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+ ).split("");
+ var sid = "";
+ for (sid_inc = 0 ; sid_inc < 9 ; sid_inc++){
+ sid += sid_arr[Math.floor(Math.random()*sid_arr.length)];
+ }
+
var query0="s="+sid+"&w="+width+"&h="+height;
var query1=query0+"&c=1&k=";
var buf="";
Sorry for the confusion!
--
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fu...@yuggoth.org); IRC(fu...@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fu...@yuggoth.org);
MUD(fu...@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
