From 7a74538a61861eea14a02a3934decc70851e5027 Mon Sep 17 00:00:00 2001 From: Yahnis Elsts Date: Tue, 23 May 2017 14:52:32 +0300 Subject: [PATCH] Remove slug from the "package not found" error message. A user reported that the slug could be used for content injection attacks. While it's impossible to inject HTML/CSS/JS code, even plain text can theoretically be abused for social engineering purposes. I'd like to allow relatively free-form slugs (basically, any valid file name can be a slug), so there doesn't seem to be a way to eliminate this kind of risk other than just not showing the slug. --- includes/Wpup/UpdateServer.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/Wpup/UpdateServer.php b/includes/Wpup/UpdateServer.php index 6a8f5be..51638db 100644 --- a/includes/Wpup/UpdateServer.php +++ b/includes/Wpup/UpdateServer.php @@ -153,7 +153,7 @@ protected function validateRequest($request) { $this->exitWithError('You must specify a package slug.', 400); } if ( $request->package === null ) { - $this->exitWithError(sprintf('Package "%s" not found', htmlentities($request->slug)), 404); + $this->exitWithError('Package not found', 404); } }