Hi Brian,
I made a diff with Meld tool for both versions and this is the result:
file: inc/autoload.function.php (line 87)
Version 0.83.91
// empty classname or non concerted plugin or classname containing dot
(leaving GLPI main treee)
if (empty($classname) || is_numeric($classname) || (strpos($classname,
'.') !== false)) {
return false;
}
Version Version 0.83.9
// empty classname or non concerted plugin
if (empty($classname) || is_numeric($classname)) {
return false;
}
There is a new function in inc/toolbox.class.php that is used in
inc/ticket.class.php
Toolbox::prepareArrayForInput()
I don't know how this affect to GLPI, no more info is given by the ticket
Maybe in GLPI the security reports should have some format like php does in
bugs.
2013/6/26 Brian Martin <[email protected]>
>
>
> The 0.83.91 release indicates it is a security fix. The changelog/roadmap
> links to Bug #4375 which does not have much information at all.
> https://forge.indepnet.net/issues/4375
>
> Can you please clarify if this corresponds with one of the public
> vulnerabilities in GLPI, or represents a new one?
> http://direct.osvdb.org/search?search%5Bvuln_title%5D=glpi&search%5Btext_type%5D=titles
>
> Thanks,
>
> Brian Martin
> OSF / OSVDB.org
>
> http://freecode.com/projects/glpi/releases/355778
>
> https://forge.indepnet.net/projects/glpi/roadmap?tracker_ids[]=1&tracker_ids[]=2&tracker_ids[]=4&completed=1&with_subprojects=0#0.83.91
>
>
> _______________________________________________
> Glpi-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/glpi-dev
>
>
--
Daniel Carrero Canales
+56974726453
_______________________________________________
Glpi-dev mailing list
[email protected]
https://mail.gna.org/listinfo/glpi-dev
