Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Matts (1087)

  (email not shown publicly)

I work for MessageLabs [] in Toronto, ON, Canada. I write spam filters, MTA software, high performance network software, string matching algorithms, and other cool stuff mostly in Perl and C.

Journal of Matts (1087)

Monday January 21, 2002
10:04 AM

[ #2289 ]

I've spent today closing off bugs on It's been good, and I've enjoyed doing it, because people have been good enough to put patches in with their bug reports (and some bugs just magically fixed themselves with other patches).

However I got extremely worried about the number of bug reports on there that had XML in, where the XML didn't get displayed. This is a pretty sure sign of a cross site scripting vulnerability. So I tested it and sure enough, CSS bugs. Quite concerned I fired off a vulnerability assessment to About 5 minutes later I got an email denying the bug, so I replied with a URL, and got an "Oops, that shouldn't happen" reply back, followed by another 5 mins later saying it was fixed. Apparently was running an untested beta of RT (tut, tut ;-) which they had never released to the public other than (which means they don't need to send an email to BugTraq telling everyone to upgrade urgently).

Kudos to them for being so responsive though. I'm really glad RT is there on - it has made bug fixing LibXML much more scalable - previously I'd get bug reports to me personally, to the xml-libxml-devel mailing list, some on the gnome libxml list, and some on the perl-xml list. Now I just tell people if they don't put the bug report on RT it will get lost in the bit-bucket, and so they comply. Fantastic stuff.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.