Greetings,
while looking at a diff between the 3.0.x branch and trunk for the web
frontend noticed the following snippet (htmlentities is missing in 3.0.x) :
@@ -331,7 +330,7 @@
header ("Pragma: no-cache"); // HTTP/1.0
if ($debug) {
header ("Content-type: text/html");
- print "$command\n\n\n\n\n";
+ print htmlentities( $command ) . "\n\n\n\n\n";
}
else {
header ("Content-type: image/gif");
I understand that $debug has been hardcoded to disable it in graph.php so this
code path should never be exercised, but was still curious about why this
snippet wasn't included in 3.0.6 anyway with all the other XSS fixes if it was
applied to trunk and obviously available together with all the other changes.
anyone could elaborate on the rationale behind that? and since 3.0.7 is going
to be released soon could we just add it as well there for consistency?
Carlo
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Ganglia-developers mailing list
Ganglia-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ganglia-developers
