On Mon, 18 Jun 2007 11:06:26 -0700 Tom Collins <[EMAIL PROTECTED]> wrote:
> On Jun 18, 2007, at 10:40 AM, ed wrote: > > In order to get PCI valid I had to patch qmailadmin so that <> are > > > > > < I have attached the diff for -stable. Everything should be > > sane, but I admit that these changes were done in a bit of a rush > > just so we can get the PCI badge. > > > > I've no idea if attachments are stripped from list postings. > > Where were the symbols not getting printed correctly? When I added > the printh and sprinth commands, it should have taken care of > converting <, >, " and &. I thought the 1.2.4 release took care of > possible XSS attacks. it only corrected the "domain does not exist" error. there were a whole number of places where the <> symbols would be printed. i wish i kept the log, i can undo the patch and wait for the pci tests to run again and try and keep copies of it. the httptext fields, off the top of my head were vulnerable, so too was the change password screen. -- The dual T1 to the GameCube is losing cohesion because of an errant well-driller. RedHat is horking out last night's beer. :: http://www.s5h.net/ :: http://www.s5h.net/gpg
