Re: Security Exploit.

[Felix Geisendörfer]

Uhm, I was actually looking over the problematic piece of code a while ago too, but I thought you could only retrieve JS scripts you where not supposed to this way and I didn't consider it much of a security issue. Good that it has been fixed and that we have some people who like to look at the security aspects in the framework. Best Regards, Felix Geisendörfer -------------------------- http://www.thinkingphp.org http://www.fg-webdesign.de Larry E. Masters aka PhpNut schrieb: There was an security exploit brought to my attention today. I have fixed this exploit in the trunk and branched versions. Please replace the app/webroot/js/vendors.php with this file. https://trac.cakephp.org/browser/trunk/cake/1.x.x.x/app/webroot/js/vendors.php?format=txt This exploit is important to correct since it would allow reading files outside of the vendors/_javascript_ directory when magic_quotes_gpc = Off. Thank you, -- /** * @author Larry E. Masters * @var string $userName * @param string $realName * @returns string aka PhpNut * @access  public */ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~----------~----~----~----~------~----~------~--~---