Slash Boxes

Slash Open Source Project

Security: add 'id' to filter_params

posted by jamiemccarthy on Friday January 04, @03:00PM   Printer-friendly   Email story

Whatever version of Slash you are running, please add 'id' to the list of numeric filtered parameters. This list can be found in the filter_params subroutine in If you are on near-current code, you can just update to current code, as the fix is in CVS. If not, here is the (extremely simple) diff:

diff -U3 -r1.223 -r1.224
--- Slash/Utility/Environment/	24 Oct 2007 21:19:34 -0000	1.223
+++ Slash/Utility/Environment/	4 Jan 2008 19:14:07 -0000	1.224
@@ -1823,7 +1823,7 @@

 	# fields that are numeric only
 	my %nums = map {($_ => 1)} qw(
-		approved artcount art_offset bseclev
+		approved artcount art_offset bseclev id
 		buymore cid clbig clsmall cm_offset
 		commentlimit commentsort commentspill
 		del displaystatus limit

You should also change the passwords for all your admin user accounts.

We are working on a more complete writeup of this issue, and we will append it to this story on Monday morning, Jan. 7. Please check back then. This message is also being sent to our slashcode-general mailing list (which all Slash site administrators should be reading).

Monday Update: Please see today's story with more information and a new (also small) patch.

Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.