Specific to this patch, isn't it a bit stronger to clean user input
by matching positively against the format desired, versus stripping
just some
bad characters? I don't know PHP well enough, but you are allowing
the pipe through, which causes mischief for Perl.
Names are tough, I know, but email address should be limited by
RFC1035 for domain names, and RFC 2822 for user names. (I think.)
-burt
On Jun 2, 2006, at 3:33 PM, Andreas Gohr wrote:
burt wrote:Thanks. I think this is a good plan. However, I am concerned that I don't end up running beta code, but keeping sync w/ the dev tree.
I don't recommend running devel releases on production servers. Instead you should just fix security problems. Critical bugs are always announced at the freshmeat announcement list together with a link to a description on how to manually fix the problem. Usually a fixed release (version number just gets a letter appended) is provided for download as well.
However in this case the problem is considered non-critical as it is only exploitable by admin users. Normal users could just hack them self ;-)
See http://bugs.splitbrain.org/?do=details&id=820 on how you could fix it your self.
Andi
-- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist
-- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist
