[commits] Horde branch master updated. 1550c6ecd7204f9579fcbb09ec7089e01b0771e2

Michael M Slusarz slusarz at horde.org
Mon Oct 29 21:49:25 UTC 2012 

The branch "master" has been updated.
The following is a summary of the commits.

from: 9d3224f6684a9dccf461f1f634fb97d359a0e294

aa19a17 [mms] Need to unescape JSON data returned in a text/html response.
9037dfa [mms] Fix regression in adding an attachment in minimal view.
1550c6e [mms] SECURITY: Fix obscure XSS issue if uploading a file in dynamic view from the browser's local filesystem that has a filename that contains HTML.

-----------------------------------------------------------------------

commit aa19a1703f06c98aa1712d6f1509e0cee5a9c119
Author: Michael M Slusarz <slusarz at horde.org>
Date:   Mon Oct 29 15:29:07 2012 -0600

    [mms] Need to unescape JSON data returned in a text/html response.

 framework/Core/js/hordecore.js |    2 +-
 framework/Core/package.xml     |    2 ++
 2 files changed, 3 insertions(+), 1 deletions(-)

http://git.horde.org/horde-git/-/commit/aa19a1703f06c98aa1712d6f1509e0cee5a9c119

-----------------------------------------------------------------------

commit 9037dfac8c4e74c9966c302a3b8a01ecb827c3e6
Author: Michael M Slusarz <slusarz at horde.org>
Date:   Mon Oct 29 15:42:03 2012 -0600

    [mms] Fix regression in adding an attachment in minimal view.

 imp/docs/CHANGES            |    1 +
 imp/lib/Minimal/Compose.php |    6 +++---
 imp/package.xml             |    4 ++--
 3 files changed, 6 insertions(+), 5 deletions(-)

http://git.horde.org/horde-git/-/commit/9037dfac8c4e74c9966c302a3b8a01ecb827c3e6

-----------------------------------------------------------------------

commit 1550c6ecd7204f9579fcbb09ec7089e01b0771e2
Author: Michael M Slusarz <slusarz at horde.org>
Date:   Mon Oct 29 15:38:00 2012 -0600

    [mms] SECURITY: Fix obscure XSS issue if uploading a file in dynamic view from the browser's local filesystem that has a filename that contains HTML.
    
    This attack requires a filesystem that supports angled brackets in
    filenames (Windows does NOT; Linux does). Essentially, a user has to
    upload a malicious filename that they created on their own filesystem.
    
    Conflicts:
    	imp/docs/CHANGES
    	imp/js/compose-dimp.js
    	imp/package.xml

 imp/docs/CHANGES       |    6 ++++--
 imp/js/compose-dimp.js |    2 +-
 imp/package.xml        |    3 ++-
 3 files changed, 7 insertions(+), 4 deletions(-)

http://git.horde.org/horde-git/-/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2

More information about the commits mailing list