jka Posted January 6, 2018 Share Posted January 6, 2018 BSmither et-all. We are on 6.1.12, however would like to address the security issue with database class php. Can we just copy that file alone from 6.1.13 and patch it into 6.1.12? Quote Link to comment Share on other sites More sharing options...
bsmither Posted January 7, 2018 Share Posted January 7, 2018 The fix is not implemented with modifying the database class. Even though that is where the logic flaw exists, changing that would break too many other things. Instead the specific code that calls the database is changed by adjusting what gets sent to the database function. See: https://github.com/cubecart/v6/commit/5ebea417da142530b558d18ef6132346de0d1cca You may be able to just replace the User class. Quote Link to comment Share on other sites More sharing options...
jka Posted January 7, 2018 Author Share Posted January 7, 2018 BSmither, Just the user.class? not the cubecart.class? Quote Link to comment Share on other sites More sharing options...
bsmither Posted January 7, 2018 Share Posted January 7, 2018 Regarding the changes in the CubeCart class file, forcing a string type cast on a variable that is already a string and seems to continue to be a string later on seems to be over-cautionary. However, I am not privy to the reasoning and decision making behind these particular changes. Granted, there is absolutely no harm done by making these type casts. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.