Slash Open Source Project

Title    Security: add 'id' to filter_params
Date    Friday January 04 2008, @03:00PM
Author    jamiemccarthy

Whatever version of Slash you are running, please add 'id' to the list of numeric filtered parameters. This list can be found in the filter_params subroutine in If you are on near-current code, you can just update to current code, as the fix is in CVS. If not, here is the (extremely simple) diff:

diff -U3 -r1.223 -r1.224
--- Slash/Utility/Environment/	24 Oct 2007 21:19:34 -0000	1.223
+++ Slash/Utility/Environment/	4 Jan 2008 19:14:07 -0000	1.224
@@ -1823,7 +1823,7 @@

 	# fields that are numeric only
 	my %nums = map {($_ => 1)} qw(
-		approved artcount art_offset bseclev
+		approved artcount art_offset bseclev id
 		buymore cid clbig clsmall cm_offset
 		commentlimit commentsort commentspill
 		del displaystatus limit

You should also change the passwords for all your admin user accounts.

We are working on a more complete writeup of this issue, and we will append it to this story on Monday morning, Jan. 7. Please check back then. This message is also being sent to our slashcode-general mailing list (which all Slash site administrators should be reading).

Monday Update: Please see today's story with more information and a new (also small) patch.


  1. "diff" -
  2. "slashcode-general" -
  3. "today's story" -

© Copyright 2012 - Me, All Rights Reserved

printed from Slashcode, Security: add 'id' to filter_params on 2012-02-06 23:21:40