-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Aug 21, 2012 at 11:41:43PM +0100, Steven Chamberlain wrote:
> Bug affects an example script in the documentation only.
>
> Untrusted paths are used by file() and opendir(). A patch committed
> upstream tries to sanitise the inputs. [1]
>
> But these and other user-supplied data are still echoed out unescaped,
> so I think would allow XSS if someone used the script on a public-facing
> webserver. The code looks like it might have all sorts of other issues.
>
> It seems obsoleted by cssgen2.php, which does not need to accept user
> input at all. That is distributed already in php-geshi 1.0.8.4-1.
>
> So I suggest removing the cssgen.php file altogether. Thank you.
Thanks for this suggestion. I will prepare an upload that removes this file
from the examples directory and will ask the release team for a freeze
exception.
On Thu, Aug 23, 2012 at 11:23:10AM +0200, Thorsten Glaser wrote:
> On Tue, 21 Aug 2012, Benny Baumann wrote:
>
> > Given exactly the
> > 2-3 years this package will be in stable/oldstable is the reason why
> > there should be an update to something reasonably recent before the
> > package is put into a distribution.
>
> Sorry, it’s now too late for that. In May, something could have
> been done, but not now. No new upstream versions, any more.
>
> (That being said, updating it in sid now would be reasonable,
> and wheezy users could just pull that package from sid.)
If the change suggested above by Steven will be accepted by the release team
I will upload a new upstream version to unstable after the fixed version
migrated to testing.
Best regards
Jan Dittberner
- --
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD
http://www.dittberner.info/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQOMWwAAoJEKc+AFVVj7jdlYAP/1wjGorkFP5AYXcNosldfrEo
7di9kkXY3yZ2JMwFilRcqhraE0LV7l6TjlA9KfdWc6NlsDut+ctBdvFPNTXy+S3c
0JYPj0Uku18e1Mbsb86rZoKnGSQa8gMQzIUP+quoo9RECD+ftW53inLlRcc86D7D
T9r4GTzOEUlYi7K6pso/w1wpueVMP6SQ5X8gFYUF2qPfovWyWn7GxOiK7pi7ptYZ
oVqx222h59cU1jqc5CSVwMlBCPKicXbbqkVgeWg5VbVYJe073S3Ma2GaGDeR/arm
A1wmWa6T8P0PtEHyNxp/zDDBGkkZio7iouKWIu6xSkplF/hTEmSKpXxbJ3yELsYA
vMXCgq1xqHG+sxHC4ZTl9uSJzgaeo+dJFwALgX1FFkV9JE9lMjP94UvFFB526D+I
WE/do/rpDQX63r+Wc6JaJcu8WPZfYxaURrsdeWgtX2eav6Xxig0iFbRX6X04MMBe
Hkdzt3zKBbuhl5iE5CNyaV3b6KXWvJHWgXk6LFAyihsgNoDl1S764cgpigHWWGc6
kOaw5Mh/k3gByO+CrkRsW02dWiRKJZFSyq/xgrYDhKU8OQWtw2jbOW83akP48oJS
0cJALQmM7gwe9e1uMhIVCnB5qZ/RvETtYDOci/evmDGAsv4vUu/Qojrt4Tr5FEDo
w5IatTgV++THDTfV0QAd
=SOA9
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
