-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
I sent a patch for Unstable to my sponsor. This should be uploaded soon. For Stable the patch is attached. The Stable version is not affected by the bug in add_value_form.php. As written before, the report about the problem in list view is invalid for Stable and Unstable. - -- Best regards Roland -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9TWJsACgkQq/ywNCsrGZ5kSQCfQejOCdpbHY5k/KoUqh4whHkW snoAniAbxuSN0GbTLFAuLMROEdJnjFej =GFlt -----END PGP SIGNATURE-----
Description: XSS fix
Use htmlspecialchars to sanitize special characters.
.
ldap-account-manager (3.1.0-3) testing-proposed-updates; urgency=high
.
* Fix "Multiple vulnerabilities"
Replace special characters in HTML output. (Closes: #661904)
Author: Roland Gruber <[email protected]>
Bug-Debian: http://bugs.debian.org/661904
---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:
Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: http://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>
--- ldap-account-manager-3.1.0.orig/templates/tree/export.php
+++ ldap-account-manager-3.1.0/templates/tree/export.php
@@ -119,15 +119,21 @@ $exporter->setOutputFormat($br);
@set_time_limit( 0 );
// send the header
-if( $save_as_file )
- header( "Content-type: application/download" );
-else
- header( "Content-type: text/plain" );
header( "Content-Disposition:
filename=$friendly_rdn.".$exporters[$exporter_id]['extension'] );
header( "Expires: Mon, 26 Jul 1997 05:00:00 GMT" );
header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );
header( "Cache-Control: post-check=0, pre-check=0", false );
+if( $save_as_file ) {
+ header( "Content-type: application/download" );
+ $exporter->export();
+}
+else {
+ header( "Content-type: text/plain" );
+ ob_start();
+ $exporter->export();
+ $buffer = ob_get_contents();
+ ob_end_clean();
+ echo htmlspecialchars($buffer);
+}
-// and export
-$exporter->export();
?>
XSS.sig
Description: PGP signature

