Xataface Security Release 1.3rc5 (Critical Bugfix)
Posted: Wed Aug 03, 2011 1:00 pm
Xataface 1.3rc5 was released today and is available for download on Sourceforge:
https://sourceforge.net/projects/datafa ... ce-1.3rc5/
It patches a critical security vulnerability.
(Note that the above bug report includes a number of issues. Only one of them was identified as a current vulnerability).
All installs of the 1.3.x branch should be updated to this version. If you are working off the trunk of the SVN repository, you should update to revision 2509 or later.
Fixes for Older Versions
Users of the 1.2.x branch should update to 1.2.7:
https://sourceforge.net/projects/datafa ... ace-1.2.7/
Users of the 1.1.x branch (PHP 4) should update to version 1.1.6
https://sourceforge.net/projects/datafa ... ace-1.1.6/
Patching Existing Releases
If you would rather just patch your existing release, the diff for this update is:
Other Applications
Web Auction
Web Auction 0.3.7 was released today that includes the latest Xataface with this security patch. You can either update your entire web auction install, or simply update the "dataface" directory to the latest Xataface.
https://sourceforge.net/projects/webauc ... ion-0.3.7/
Librarian DB
Web Auction 0.3.1 was released today that includes the latest Xataface with this security patch. You can either update your entire Librarian DB install, or simply update the "dataface" directory to the latest Xataface.
https://sourceforge.net/projects/librar ... ndb-0.3.1/
Internet Media Manager
Internet Media Manager 0.3.1 was released today that includes the latest Xataface with this security patch. You can either update your entire Internet Media Manager install, or simply update the "dataface" directory to the latest Xataface.
https://sourceforge.net/projects/immgr/files/imm-0.3.1/
https://sourceforge.net/projects/datafa ... ce-1.3rc5/
It patches a critical security vulnerability.
(Note that the above bug report includes a number of issues. Only one of them was identified as a current vulnerability).
All installs of the 1.3.x branch should be updated to this version. If you are working off the trunk of the SVN repository, you should update to revision 2509 or later.
Fixes for Older Versions
Users of the 1.2.x branch should update to 1.2.7:
https://sourceforge.net/projects/datafa ... ace-1.2.7/
Users of the 1.1.x branch (PHP 4) should update to version 1.1.6
https://sourceforge.net/projects/datafa ... ace-1.1.6/
Patching Existing Releases
If you would rather just patch your existing release, the diff for this update is:
- Code: Select all
Index: Dataface/Application.php
===================================================================
--- Dataface/Application.php (revision 2508)
+++ Dataface/Application.php (revision 2509)
@@ -590,9 +590,10 @@
$prefix = $this->_conf['cookie_prefix'];
//print_r($_COOKIE);
if ( isset($_REQUEST['--lang']) ){
-
+ $_REQUEST['--lang'] = basename($_REQUEST['--lang']);
$this->_conf['lang'] = $_REQUEST['--lang'];
} else if ( isset( $_REQUEST['-lang'] ) ){
+ $_REQUEST['-lang'] = basename($_REQUEST['-lang']);
$this->_conf['lang'] = $_REQUEST['-lang'];
if ( @$_COOKIE[$prefix.'lang'] !== $_REQUEST['-lang'] ){
setcookie($prefix.'lang', $_REQUEST['-lang'], null, '/');
@@ -610,6 +611,7 @@
setcookie($prefix.'lang', $this->_conf['lang'], null, '/');
}
+ $this->_conf['lang'] = basename($this->_conf['lang']);
// Set the mode (edit or view)
Index: Dataface/templates/Dataface_Main_Template.html
===================================================================
--- Dataface/templates/Dataface_Main_Template.html (revision 2508)
+++ Dataface/templates/Dataface_Main_Template.html (revision 2509)
@@ -18,7 +18,7 @@
*-------------------------------------------------------------------------------
*}{if !$ENV.APPLICATION_OBJECT->main_content_only}{define_slot name="doctype_tag"}<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">{/define_slot}
-{define_slot name="html_tag"}<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="{$ENV.language}" lang="{$ENV.language}">{/define_slot}
+{define_slot name="html_tag"}<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="{$ENV.language|escape}" lang="{$ENV.language|escape}">{/define_slot}
<head>
{if !$ENV.prefs.no_history}
Other Applications
Web Auction
Web Auction 0.3.7 was released today that includes the latest Xataface with this security patch. You can either update your entire web auction install, or simply update the "dataface" directory to the latest Xataface.
https://sourceforge.net/projects/webauc ... ion-0.3.7/
Librarian DB
Web Auction 0.3.1 was released today that includes the latest Xataface with this security patch. You can either update your entire Librarian DB install, or simply update the "dataface" directory to the latest Xataface.
https://sourceforge.net/projects/librar ... ndb-0.3.1/
Internet Media Manager
Internet Media Manager 0.3.1 was released today that includes the latest Xataface with this security patch. You can either update your entire Internet Media Manager install, or simply update the "dataface" directory to the latest Xataface.
https://sourceforge.net/projects/immgr/files/imm-0.3.1/