Bug#415379: ldap-account-manager: quoting of user description field broken
Hi Brian, Brian May schrieb: Unfortunately, while this fixes the problem with tree view, it does not fix the problem with the generated HTML in the personal user editor - everything appears in the textbox up to the first character, and after that everything else appears outside the text box. now I see what you mean. I first thought that only additional backslashes were added but the second problem is that HTML characters are not escaped in the output. I will discuss this with my sponsor and increase the bug priority if needed. -- Best regards Roland Gruber LDAP Account Manager http://lam.sourceforge.net Want more? Get LDAP Account Manager Pro! http://lam.sourceforge.net/lamPro/index.htm signature.asc Description: OpenPGP digital signature
Bug#415379: ldap-account-manager: quoting of user description field broken
Hi Brian, Brian May schrieb: Attribute Old value New value description les 123\456\'789 which is different, and then when I push commit, the value comes out as: 123\\\456\\\'789 I will provide a fix for this in the next release. However, it will not be included in Etch since it is not critical/security related. As workaround you can set magic_quotes_gpc to Off in your php.ini file. -- Best regards Roland Gruber LDAP Account Manager http://lam.sourceforge.net Want more? Get LDAP Account Manager Pro! http://lam.sourceforge.net/lamPro/index.htm signature.asc Description: OpenPGP digital signature
Bug#415379: ldap-account-manager: quoting of user description field broken
Roland == Roland Gruber [EMAIL PROTECTED] writes: Roland I will provide a fix for this in the next Roland release. However, it will not be included in Etch since it Roland is not critical/security related. Hmmm. I think it could still meet the requirements, regardless. e.g. if you argued it was corrupting data. Still... Your call. Roland As workaround you can set magic_quotes_gpc to Off in Roland your php.ini file. Is this likely to have any side effects, e.g. breaking other applications? Unfortunately, while this fixes the problem with tree view, it does not fix the problem with the generated HTML in the personal user editor - everything appears in the textbox up to the first character, and after that everything else appears outside the text box. The value needs to be HTML encoded before it is passed as a value to the HTML textbox. (This type of thing is normally a security issue - not sure about this particular case though). -- Brian May [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#415379: ldap-account-manager: quoting of user description field broken
Package: ldap-account-manager Version: 1.1.1-1 Severity: important TREE VIEW In tree view, if I change the description to 123456'789 I see: Do you want to make these changes? Attribute Old value New value description les 123\456\'789 which is different, and then when I push commit, the value comes out as: 123\\\456\\\'789 USERS VIEW The HTML generated for the form is: td input name=description size=30 maxlength=255 value=123\\\ 456= 789= tabindex=5002 type=text/td Which again is very broken. (possibly something like this might be a security issue, but I haven't really considered this in detail yet - presumably the data from LDAP should be trusted so it should be OK...) -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing'), (200, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-xen-686 Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
