On Tue, August 3, 2010 14:45, Ansgar Burchardt wrote: > "Adam D. Barratt" <[email protected]> writes: >> The upstream commits referenced in the bug report contain two changes - >> the one you've included in your patch, and 4f46c293, which applies >> (assuming the function name is accurate) to privmsgs and notices. Does >> the later patch render the earlier one unnecessary, or should both be >> included? The commit message for 4f46c293 implies that it was intended >> as a security fix. > > I think you refer to this part of the upstream patch [1]: > > - my @messages = split /\n/, $message; > + my @messages = split /[\n\r]/, $message; > > This is not needed for Debian: the split statement was introduced in [2] > in a first attempt to fix the injection problem and later updated to > include \r as well. But upstream has reverted to the old behavior > already [3]: messages are no longer split; only everything after \r and > \n is stripped from messages before sending. > > I contacted upstream on IRC before preparing the package because I was a > bit unsure about this part as well and they confirmed that including > only > > + # if we find a newline in the message, take that to be the end of it > + $msg =~ s/[\015\012].*//s; > > should be enough to fix the issue.
Thanks for the explanation; please go ahead with the upload. Regards, Adam -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
