Per discussion with Scott, the clamav-related change has been omitted because it is not a correct fix for the problem in question. The reason to escape the string is if you want to support characters that need escaping, but this will always fail on the next line with the file_exists() check. Either the escaping needs to be done in the right place, or this should just be a check for illegal characters (i.e., verify that the filename is the same before and after escaping).
-- CVE-2009-0664 Cross-site scripting in user profile field and in text blocks https://bugs.launchpad.net/bugs/364949 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
