roller-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <snoopd...@gmail.com>
Subject Announcing RC builds on the project blog and user list? (was Re: VOTE: Release Apache Roller 3.0.1 RC1 fix release)
Date Thu, 05 Apr 2007 15:53:04 GMT
Apparently nobody on the list has time to check these XSS fixes out,
but it's pretty clear we need to  validate these builds and get the
fixes out.

To encourage others to help with testing, should I post about them on
the Project blog and say something like:

"Roller patch releases in testing. New builds of Roller Version 2.3
and Roller 3.0 have been created to address security vulnerabilities.
These builds are "release candidate" builds and are for testing
purposes only. You can get builds Roller 3.0.1 RC1 and Roller 2.3.1
RC1 from this location: XXX"

- Dave




On 3/23/07, Dave <snoopdave@gmail.com> wrote:
> Roller 3.0.1: minor release to fix security risk
>
> *** Fixes for Cross-site Scripting (XSS) vulnerabilities
>
> Fixed multiple XSS vulnerabilities. Changes were isoluated in these files:
>
> - WEB-INF/lib/roller-web.jar
>   Now strips HTML from all incoming comment fields
>
> - WEB-INF/velocity/weblog.vm
>   Now HTML-escapes all comment-form fields before display
>
> - WEB-INF/jsps/authoring/CommentManagement.jsp
>   Now HTML-escapes all comment-form fields before display
>
> - WEB-INF/jsps/tiles/head.jsp
>   Eliminated the "look" request parameter, which was for debugging only
>
> - roller-ui/widgets/date.jsp
>   Now HTML-escapes value field of date widget
>
>
> Apache Roller 3.0.1 RC1 files are available here:
> http://people.apache.org/~snoopdave/apache-roller-3.0.1
>

Mime
View raw message