Last modified: 2014-08-30 20:45:15 UTC
Reported bij theDJ: We have a bug with filenames with quotes in them. file: http://commons.wikimedia.org/wiki/File:Vakwerkboerderij_%22Menzo%22_-_Zuidgevel_-_RM_15285_01.JPG api request: http://toolserver.org/~multichill/monapi/api.php?action=images&imcountry=nl&imid=15285&format=html&props=img_name Generated html: <a href="http://commons.wikimedia.org/wiki/File:Vakwerkboerderij_" menzo"_-_zuidgevel_-_rm_15285_01.jpg"=""><img src="http://upload.wikimedia.org/wikipedia/commons/thumb/9/98/Vakwerkboerderij_" menzo"_-_zuidgevel_-_rm_15285_01.jpg="" 100px-vakwerkboerderij_"menzo"_-_zuidgevel_-_rm_15285_01.jpg"=""></a> Possible njection attack vector.
Introduced by r266 - r269 in 2011-08-01. Fixed in r1055. Please update your local copy.
That's https://fisheye.toolserver.org/changelog/erfgoed?cs=1055 but I'm pretty sure that '..' is not valid PHP.
Fixed in r1056
If this is fixed on the live TS copy, please move this bug out of the security area.
Platonides?
When can we get this moved out of the Security component?
Moving to "Tool labs tools". It's not quite the right product, but it's the closest I could find.