yes, that is the only change. BTW. Before posting here I have emailed my patch the author, since many web applications depend on markdown. My patch is similar to the one suggested by reddit but uses UUID to set the salt. They use markdown we use markdown2.
I also took the occasion to study this file. It seems to me there is a lot of code in there that we do not use and the code that we use can be improved a lot in terms of speed. I may work a little more on this. Massimo On Sep 28, 5:15 pm, Jonathan Lundell <[email protected]> wrote: > On Sep 28, 2009, at 2:53 PM, mr.freeze wrote: > > > > > Can we just replace gluon.contrib.markdown2.py or were there other > > changes? Trying to avoid an upgrade on my live sites. > > That seems to be the only change (well, and the version number). > > > > > On Sep 28, 4:42 pm, Massimo Di Pierro <[email protected]> wrote: > >> As you may know reddit.com was attacked recently. Today the explained > >> what happened: > > >>http://blog.reddit.com/2009/09/we-had-some-bugs-and-it-hurt-us.html > > >> They had two problems, one in their code and one in the markdown > >> code. > >> The latter is the same library we include in web2py/gluon/contrib/ > >> markdown/markdown2.py. > > >> This means web2py code using the WIKI helper is vulnerable to a XSS > >> injection. > > >> This has been fixed in trunk and I also posted web2py 1.67.2 > > >> please upgrade immediately. > > >> The vulnerability will affect other frameworks that use markdown. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
