|
Re: Security bulletin 2008-12-18
Is this patch going to have any surprise effects like the last two have? I am referring to the problem with user names and cookies, although this patch could have some other undesired effect. Anyway, is there something that is not said that we should be aware of about how this will affect our store?
|
Re: Security bulletin 2008-12-18
What I do is put the new files in one directory, download the same files in another directory, then use a program called "Beyond Compare" to apply the changes to my files. This patch was one of the easier ones.
|
Re: Security bulletin 2008-12-18
Quote:
This patch adds a more stricy check of the sent variables (POST,GET,COOKIES, etc). It doesn't have any 'hidden' impacts. |
Re: Security bulletin 2008-12-18
Hi All,
I applied the security patch yesterday using Jon's method above to view the file changes. None of the affected files had been modified so it was an easy overwrite for me. No problems to report or any user difficulties. New customers and orders processing just fine. Merry Christmas To All ! Paul p.s. Santa say's to always listen to Jon |
Re: Security bulletin 2008-12-18
Eugene,
I have checked over the new files against my existing files and the only line of code I am questioning is in xcart/include/register.php Existing Code: Code:
if ((strcmp($uname_tmp, $uname) !=0) || (eregi("[^a-z0-9_-.@]",$uname) && $newbie == "Y" && $anonymous != "Y"))Code:
if ((strcmp($uname_tmp, $uname) != 0) || (!preg_match("/^[a-z0-9_-]+$/s", $uname) && $uname != ""))Could you please advise if it is ok to leave the existing code? If I replace that line of code I am concerned that existing customers will not be able to login using upper case letters or @ in their login name/password fields. Thanks |
Re: Security bulletin 2008-12-18
Try:
Code:
if ((strcmp($uname_tmp, $uname) != 0) || (!preg_match("/^[a-zA-Z0-9_-]+$/s", $uname) && $uname != "")) |
Re: Security bulletin 2008-12-18
Quote:
Thanks Jon Will users be able to have an @ in there username or password with the code you posted? |
Re: Security bulletin 2008-12-18
That was for upper case. To allow @ also try:
Code:
if ((strcmp($uname_tmp, $uname) != 0) || (!preg_match("/^[a-zA-Z0-9_-@]+$/s", $uname) && $uname != "")) |
Re: Security bulletin 2008-12-18
Quote:
Thanks a lot Jon, I'll try that out. |
Re: Security bulletin 2008-12-18
Quote:
Jon, that did not work. When I tried to create an account with Username: Test@ Password: Test@61 I received the error message that only a-z and 0-9 could be used. I put back, Code:
if ((strcmp($uname_tmp, $uname) !=0) || (eregi("[^a-z0-9_-.@]",$uname) && $newbie == "Y" && $anonymous != "Y"))I have the rest of the patch installed and if I leave that original line of code in everything seems to be working fine. I wonder if it would be safe to leave like that? |
| All times are GMT -8. The time now is 12:05 AM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.