mail through mailing-list
--------------------------
> From: Alex Krohn [mailto:alex@gossamer-threads.com]
> Sent: Saturday, July 08, 2000 9:21 PM
> Subject: DBMan Security Warning!
My extreme apologies for the lateness of this fix, and my thanks to Eric
Brine for bringing it to my attention (unfortunately it came while I was
away and the person who received it did not give it the proper attention
it deserved).
I will update DBMan in the next 10 minutes or so fixing that issue, and
a minor one brought to my attention from Blackwatch Labs -- passing in
an invalid config file name can give viewers insight into your system
setup as it shows the environment variables. By default you won't get a
full error message unless db_debug is turned on.
For those of you who have modified it a lot, it is a quick fix, in sub
query replace in db.cgi in sub query:
$regexp_func[$field] = eval "sub { m/$tmpreg/o; }";
with:
$regexp_func[$field] = eval 'sub { m/$tmpreg/o; }';
Again, my apologies about this! Once we finish our new SQL library, we
plan to release a new updated version of DBMan as everyone here at
Gossamer (myself included) has learned a lot, and the new code will show
that. =)
Neither DBMan SQL, Links SQL or Gossamer Mail are affected by this
(FileMan and Links 2.0 are, but it's only in the admin so it's not as
critical -- but we will update it as well). If you have any questions
about this, please don't hesitate to ask!
Cheers,
Alex
------------------------------------
Close Watch
LyricZ http://www.lyricz.12inter.net
NL
--------------------------
> From: Alex Krohn [mailto:alex@gossamer-threads.com]
> Sent: Saturday, July 08, 2000 9:21 PM
> Subject: DBMan Security Warning!
My extreme apologies for the lateness of this fix, and my thanks to Eric
Brine for bringing it to my attention (unfortunately it came while I was
away and the person who received it did not give it the proper attention
it deserved).
I will update DBMan in the next 10 minutes or so fixing that issue, and
a minor one brought to my attention from Blackwatch Labs -- passing in
an invalid config file name can give viewers insight into your system
setup as it shows the environment variables. By default you won't get a
full error message unless db_debug is turned on.
For those of you who have modified it a lot, it is a quick fix, in sub
query replace in db.cgi in sub query:
$regexp_func[$field] = eval "sub { m/$tmpreg/o; }";
with:
$regexp_func[$field] = eval 'sub { m/$tmpreg/o; }';
Again, my apologies about this! Once we finish our new SQL library, we
plan to release a new updated version of DBMan as everyone here at
Gossamer (myself included) has learned a lot, and the new code will show
that. =)
Neither DBMan SQL, Links SQL or Gossamer Mail are affected by this
(FileMan and Links 2.0 are, but it's only in the admin so it's not as
critical -- but we will update it as well). If you have any questions
about this, please don't hesitate to ask!
Cheers,
Alex
------------------------------------
Close Watch
LyricZ http://www.lyricz.12inter.net
NL