[freeside-commits] branch master updated. 4ee7d66497689819f80f29795b93f0ba564141e7

Ivan ivan at 420.am
Sun Nov 11 22:34:21 PST 2012 

The branch, master has been updated
       via  4ee7d66497689819f80f29795b93f0ba564141e7 (commit)
      from  b2101823682f3738f5b367d2c1f2a7c6d47cdad1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 4ee7d66497689819f80f29795b93f0ba564141e7
Author: Ivan Kohler <ivan at freeside.biz>
Date:   Sun Nov 11 22:34:20 2012 -0800

    fix XSS

diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm
index 3f7c004..d07b383 100644
--- a/FS/FS/ClientAPI/MyAccount.pm
+++ b/FS/FS/ClientAPI/MyAccount.pm
@@ -2037,6 +2037,9 @@ sub _usage_details {
     $p->{ending}    = $end;
   }
 
+  die "illegal beginning" if $beginning !~ /^\d*$/;
+  die "illegal ending"    if $ending    !~ /^\d*$/;
+
   my (@usage) = &$callback($svc_x, $p->{beginning}, $p->{ending}, 
     %callback_opt
   );
diff --git a/fs_selfservice/FS-SelfService/cgi/change_pkg.html b/fs_selfservice/FS-SelfService/cgi/change_pkg.html
index a841308..2d7b488 100644
--- a/fs_selfservice/FS-SelfService/cgi/change_pkg.html
+++ b/fs_selfservice/FS-SelfService/cgi/change_pkg.html
@@ -14,8 +14,8 @@ function enable_change_pkg () {
 <FORM NAME="ChangePkgForm" ACTION="<%= $selfurl %>" METHOD=POST>
 <INPUT TYPE="hidden" NAME="session" VALUE="<%= $session_id %>">
 <INPUT TYPE="hidden" NAME="action" VALUE="process_change_pkg">
-<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<%= $pkgnum %>">
-<INPUT TYPE="hidden" NAME="pkg" VALUE="<%= $pkg %>">
+<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<%= encode_entities($pkgnum) %>">
+<INPUT TYPE="hidden" NAME="pkg" VALUE="<%= encode_entities($pkg) %>">
 <TABLE BGCOLOR="#cccccc" BORDER=0 CELLSPACING=0>
 <TR>
   <TD COLSPAN=2><SELECT NAME="pkgpart" onChange="enable_change_pkg()">

-----------------------------------------------------------------------

Summary of changes:
 FS/FS/ClientAPI/MyAccount.pm                      |    3 +++
 fs_selfservice/FS-SelfService/cgi/change_pkg.html |    4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

More information about the freeside-commits mailing list