On Jan 13, 11:39 pm, "Christian Wyglendowski" <
christ...@dowski.com>
wrote:
Hello,
the fix for this vulnerability breaks certain kind file path settings
for Windows. Specifically, python allows the use of forward slashes
even on Windows. Moreover one may even forego the use of the drive
letter as well, thus:
/Windows/System32
is just as valid as of a path as
C:\Windows\System32
This makes it very easy to develop on one platform and move code to
the other, because one does not need to deal with converting the
slashes.
The current fix involves path normalization that changes forward
slashed to backslashes thus the storage path won't match the start of
the normalized full path and the program will fail with the 'Invalid
session id in cookie' error message. The solution is to normalize the
storage path as well. Better yet I would recommend using absolute
paths, that way the drive letters are replaced as well. Here is my
temporary fix for the problem:
--- /home/ialbert/../down/firefox/CherryPy-3.0.3/cherrypy/lib/
sessions.py 2008-01-13 16:38:36.000000000 -0500
+++ sessions.py 2008-01-23 09:06:10.493000000 -0500
@@ -260,8 +260,14 @@
os.path.abspath(self.storage_path)))
def _get_file_path(self):
- f = os.path.join(self.storage_path, self.SESSION_PREFIX +
self.id)
- if not os.path.normpath(f).startswith(self.storage_path):
+
+ def join( *args ):
+ return os.path.abspath( os.path.join(*args) )
+
+ storage_path = join( self.storage_path )
+ f = join(self.storage_path, self.SESSION_PREFIX +
self.id)
+
+ if not f.startswith(storage_path):
raise cherrypy.HTTPError(400, "Invalid session id in
cookie.")
return f
best,
Istvan