Issue 961511
Created on 2004-05-27 11:51 by kent_turbo, last changed 2004-05-27 21:48 by richard.
|
| File name |
Uploaded |
Description |
Edit |
Remove |
|
roundup-fss2.patch
|
kent_turbo,
2004-05-27 15:36
|
now it really fixes this hole |
|
|
|
| msg1272 |
Author: [hidden] (kent_turbo) |
Date: 2004-05-27 11:51 |
|
Roundup uses /home/@@file/ prefix to get static files
from the filesystem. It does not restrict in any way
the files that are handled.
I have a roundup tracker home at /home/kent/cit, then I
do the following:
kent@kent:~$ nc localhost 8080
GET /cit/@@file/../../../../etc/passwd HTTP/1.0
Host: kent
HTTP/1.0 200 OK
Server: BaseHTTP/0.3 Python/2.3.3
Date: Thu, 27 May 2004 11:47:04 GMT
Last-Modifed: Tue, 18 May 2004 14:00:15 GMT
Content-Length: 1088
Content-Type: text/plain
Pragma: no-cache
and my actual /etc/passwd follows.
Perhaps roundup web interface should restrict @@file
requests to some directory.
|
| msg1273 |
Author: [hidden] (kent_turbo) |
Date: 2004-05-27 15:41 |
|
Logged In: YES
user_id=714555
I have attached a patch that fixes this bug. It uses
os.path.normpath to normalise the path, and then checks that
the file to be served resides under STATIC_FILES (new
variable in the config) path. config.py in the templates are
patched to include this new variable.
|
| msg1274 |
Author: [hidden] (kent_turbo) |
Date: 2004-05-27 16:18 |
|
Logged In: YES
user_id=714555
I have attached a patch that fixes this bug. It uses
os.path.normpath to normalise the path, and then checks that
the file to be served resides under STATIC_FILES (new
variable in the config) path. config.py in the templates are
patched to include this new variable.
|
| msg1275 |
Author: [hidden] (richard) |
Date: 2004-05-27 21:48 |
|
Logged In: YES
user_id=6405
Fixed, and I'll put up new releases for 0.6 and 0.7 ASAP.
Thanks for the report.
|
|
| Date |
User |
Action |
Args |
| 2004-05-27 11:51:39 | kent_turbo | create | |
|