changeset 520:77526f8f3ecf

Fixed XSS issue which could lead to cookie theft etc. Thanks to the CAcert Security Team! imported from: moin--main--1.5--patch-524
author Alexander Schremmer <alex@alexanderweb.de.tla>
date Wed, 05 Apr 2006 08:32:20 +0000
parents 87d81b35c01c
children d3a173c26e1c
files ChangeLog MoinMoin/action/AttachFile.py docs/CHANGES
diffstat 3 files changed, 14 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Fri Mar 31 19:56:30 2006 +0000
+++ b/ChangeLog	Wed Apr 05 08:32:20 2006 +0000
@@ -2,6 +2,18 @@
 # arch-tag: automatic-ChangeLog--arch@arch.thinkmo.de--2003-archives/moin--main--1.5
 #
 
+2006-04-05 09:32:20 GMT	Alexander Schremmer <alex@alexanderweb.de.tla>	patch-524
+
+    Summary:
+      Fixed XSS issue which could lead to cookie theft etc. Thanks to the CAcert Security Team!
+    Revision:
+      moin--main--1.5--patch-524
+
+
+    modified files:
+     ChangeLog MoinMoin/action/AttachFile.py docs/CHANGES
+
+
 2006-03-31 20:56:30 GMT	Thomas Waldmann <tw@waldmann-edv.de>	patch-523
 
     Summary:
--- a/MoinMoin/action/AttachFile.py	Fri Mar 31 19:56:30 2006 +0000
+++ b/MoinMoin/action/AttachFile.py	Wed Apr 05 08:32:20 2006 +0000
@@ -644,7 +644,7 @@
         "Content-Length: %d" % os.path.getsize(fpath),
         # TODO: fix the encoding here, plain 8 bit is not allowed according to the RFCs
         # There is no solution that is compatible to IE except stripping non-ascii chars
-        "Content-Disposition: inline; filename=\"%s\"" % filename.encode(config.charset),
+        "Content-Disposition: attachment; filename=\"%s\"" % filename.encode(config.charset),
     ])
 
     # send data
--- a/docs/CHANGES	Fri Mar 31 19:56:30 2006 +0000
+++ b/docs/CHANGES	Wed Apr 05 08:32:20 2006 +0000
@@ -44,6 +44,7 @@
     * if not (editor_force and editor_default == 'text') then display GUI mode
       switch button (this is only a partial fix, but enough to deny the GUI
       mode to your users completely)
+    * Fixed XSS issue which could lead to cookie theft etc.
   
   Other changes:
     * moved back UserPreferences action link from menu to top of page (renaming