On Mon, Dec 11, 2006 at 08:17:11PM +0100, Bernhard R. Link wrote: > I was just made aware, that > http://packages.debian.org/cgi-bin/download.pl > is very liberate in putting arbitrary stuff in the website, > try for example: > > http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=";></a><javascript><a > href="&md5sum=<br><b>ups</b>&type=main > > I think it should really only let characters save for filename > (Debian packages are [A-Za-z0-9_.+~:-] I think) through for files > and best ommit the md5sum completely if it is that easy to fake.
Fixed and uploaded, see #402631. Javier
signature.asc
Description: Digital signature
