[freeside-commits] branch FREESIDE_2_3_BRANCH updated. 1b0e3600f2004f0977c9906b3f7db56f3ca80f5d

Ivan ivan at 420.am
Sun Nov 11 22:34:23 PST 2012 

The branch, FREESIDE_2_3_BRANCH has been updated
       via  1b0e3600f2004f0977c9906b3f7db56f3ca80f5d (commit)
      from  ecca16c3680dc94b13150d07b57d597d9f9482fe (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1b0e3600f2004f0977c9906b3f7db56f3ca80f5d
Author: Ivan Kohler <ivan at freeside.biz>
Date:   Sun Nov 11 22:34:22 2012 -0800

    fix XSS

diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm
index 7fe00e6..d5fe154 100644
--- a/FS/FS/ClientAPI/MyAccount.pm
+++ b/FS/FS/ClientAPI/MyAccount.pm
@@ -2004,6 +2004,9 @@ sub _usage_details {
     $p->{ending}    = $end;
   }
 
+  die "illegal beginning" if $beginning !~ /^\d*$/;
+  die "illegal ending"    if $ending    !~ /^\d*$/;
+
   my (@usage) = &$callback($svc_x, $p->{beginning}, $p->{ending}, 
     %callback_opt
   );
diff --git a/fs_selfservice/FS-SelfService/cgi/change_pkg.html b/fs_selfservice/FS-SelfService/cgi/change_pkg.html
index a841308..2d7b488 100644
--- a/fs_selfservice/FS-SelfService/cgi/change_pkg.html
+++ b/fs_selfservice/FS-SelfService/cgi/change_pkg.html
@@ -14,8 +14,8 @@ function enable_change_pkg () {
 <FORM NAME="ChangePkgForm" ACTION="<%= $selfurl %>" METHOD=POST>
 <INPUT TYPE="hidden" NAME="session" VALUE="<%= $session_id %>">
 <INPUT TYPE="hidden" NAME="action" VALUE="process_change_pkg">
-<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<%= $pkgnum %>">
-<INPUT TYPE="hidden" NAME="pkg" VALUE="<%= $pkg %>">
+<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<%= encode_entities($pkgnum) %>">
+<INPUT TYPE="hidden" NAME="pkg" VALUE="<%= encode_entities($pkg) %>">
 <TABLE BGCOLOR="#cccccc" BORDER=0 CELLSPACING=0>
 <TR>
   <TD COLSPAN=2><SELECT NAME="pkgpart" onChange="enable_change_pkg()">

-----------------------------------------------------------------------

Summary of changes:
 FS/FS/ClientAPI/MyAccount.pm                      |    3 +++
 fs_selfservice/FS-SelfService/cgi/change_pkg.html |    4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

More information about the freeside-commits mailing list