Changeset 3850:d4841d6d65d6 for inc/core

Timestamp:

09/02/18 09:21:11 (7 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

Message:

Security: Authenticated cross-site scripting (XSS) was possible due to the .ahtml (or .bhtml, .chtml, …) file extension being allowed in the media manager.
Thank's Josiah Pierce for reporting this

File:

: 1 edited

inc/core/class.dc.core.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

inc/core/class.dc.core.php

r3731	r3850
1379	1379	array('lang', 'string', 'en',
1380	1380	'Default blog language'),
1381		array('media_exclusion', 'string', '/\.(phps?\|pht(ml)?\|phl\|s?html?\|js\|htaccess)[0-9]*$/i',
	1381	array('media_exclusion', 'string', '/\.(phps?\|pht(ml)?\|phl\|.?html?\|js\|htaccess)[0-9]*$/i',
1382	1382	'File name exclusion pattern in media manager. (PCRE value)'),
1383	1383	array('media_img_m_size', 'integer', 448,

Note: See TracChangeset for help on using the changeset viewer.

Dotclear

Context Navigation

Changeset 3850:d4841d6d65d6 for inc/core

Legend:

inc/core/class.dc.core.php

Download in other formats:

Sites map