[pLog-svn] Lifetype 1.2.8 ...

Mark Wu markplace at gmail.com
Sun May 4 05:34:49 EDT 2008 

There is no test case for both of them. 

For 6435, you can try to revert the code first, then try to search your
article category with a keyword that you don't have, for example 'abc'.

Without the fix, when you search your article category in admin panel, it
will show other blog owners's article category with search term 'abc'. See
the search sql below:

Select *  from article_categories where blog_id=1 and name LIKE '%abc%' OR
description LIKE '%abc%'   v.s

Select *  from article_categories where blog_id=1 and (name LIKE '%abc%' OR
description LIKE '%abc%' ) 

Do you see the different? So, I say it is a more serious bug. Because it can
show other article categories...

For 6436 & 6437, Just fix the XSS you reported in svn.

Mark


> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Sunday, May 04, 2008 5:25 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] Lifetype 1.2.8 ...
> 
>  	I think we need to release 1.2.8, at least right when 
> we release 2.0, because of the wizard fix, so any future 
> upgrades from 1.1 (or 0.3 - someone posted to the forums the 
> other day wanting to upgrade from
> 0.3.1...) will not have issues.
>  	I did wake up this morning wondering if our version 
> compare tool works if we hit two digits in the minor version 
> section (ie. 1.2.10 is earlier or later than 1.2.9?).
> 
>  	Mark, can you explain the issues with the two fixes 
> that you fixed recently -- I am not clear as to what they 
> were, and how serious they are. 
> Also, is there a way for our testing system to catch these 
> sorts of bugs? 
> It would be great if there were tests that then we could run 
> on other bits of code too.
> 
> On Sun, 4 May 2008, Mark Wu wrote:
> 
> > Although we already have conclutsion that we won't release 
> new version 
> > of 1.2.x ...
> >
> > But, I think we should release 1.2.8 due to some secutiry fix:
> >
> > 1.rev 3435,  it fix when user search article categories, it 
> will show 
> > other's article category ... (It is a serious bug) 2.rev 
> 3436,  it fix 
> > the bug Jon found here:
> > http://www.securityfocus.com/archive/1/491550
> >
> > Please let me know if these two fixes works for you.
> >
> > Mark
> >
> 
> --
> Jon Daley
> http://jon.limedaley.com/
> 
> By swallowing evil words unsaid, no one has ever harmed his stomach.
> -- Winston Churchill
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list