ANN: CherryPy 3.0.3 Released

4 views
Skip to first unread message

Christian Wyglendowski

unread,
Jan 13, 2008, 11:39:27 PM1/13/08
to cherryp...@googlegroups.com, python-ann...@python.org
Announcing CherryPy 3.0.3. This release fixes two important bugs.

1) Security vulnerability when using file-based sessions
(http://www.cherrypy.org/ticket/744).
2) A memory leak (http://www.cherrypy.org/ticket/718).

A full log of the changes since 3.0.2 can be found here:
http://www.cherrypy.org/log/branches/cherrypy-3.0.x?action=stop_on_copy&rev=1845&stop_rev=1702&mode=stop_on_copy

Get the release at the following link or via easy_install
(easy_install "CherryPy==3.0.3"):
http://www.cherrypy.org/wiki/CherryPyDownload

Instructions for upgrading from 2.x are here:
http://www.cherrypy.org/wiki/UpgradeTo30

General information on new stuff in 3.0.x:
http://www.cherrypy.org/wiki/WhatsNewIn30

Thanks to everyone who contributed bug reports and code for this release.

Christian Wyglendowski
CherryPy Team

Christian Wyglendowski

unread,
Jan 13, 2008, 11:39:27 PM1/13/08
to hschi...@nasa.gov, cherryp...@googlegroups.com, python-ann...@python.org

Istvan Albert

unread,
Jan 23, 2008, 9:26:37 AM1/23/08
to cherrypy-users


On Jan 13, 11:39 pm, "Christian Wyglendowski" <christ...@dowski.com>
wrote:
> Announcing CherryPy 3.0.3. This release fixes two important bugs.
>
> 1) Security vulnerability when using file-based sessions
> (http://www.cherrypy.org/ticket/744).

Hello,

the fix for this vulnerability breaks certain kind file path settings
for Windows. Specifically, python allows the use of forward slashes
even on Windows. Moreover one may even forego the use of the drive
letter as well, thus:

/Windows/System32

is just as valid as of a path as

C:\Windows\System32

This makes it very easy to develop on one platform and move code to
the other, because one does not need to deal with converting the
slashes.

The current fix involves path normalization that changes forward
slashed to backslashes thus the storage path won't match the start of
the normalized full path and the program will fail with the 'Invalid
session id in cookie' error message. The solution is to normalize the
storage path as well. Better yet I would recommend using absolute
paths, that way the drive letters are replaced as well. Here is my
temporary fix for the problem:

--- /home/ialbert/../down/firefox/CherryPy-3.0.3/cherrypy/lib/
sessions.py 2008-01-13 16:38:36.000000000 -0500
+++ sessions.py 2008-01-23 09:06:10.493000000 -0500
@@ -260,8 +260,14 @@
os.path.abspath(self.storage_path)))

def _get_file_path(self):
- f = os.path.join(self.storage_path, self.SESSION_PREFIX +
self.id)
- if not os.path.normpath(f).startswith(self.storage_path):
+
+ def join( *args ):
+ return os.path.abspath( os.path.join(*args) )
+
+ storage_path = join( self.storage_path )
+ f = join(self.storage_path, self.SESSION_PREFIX +
self.id)
+
+ if not f.startswith(storage_path):
raise cherrypy.HTTPError(400, "Invalid session id in
cookie.")
return f

best,

Istvan

fumanchu

unread,
Mar 18, 2008, 2:29:29 PM3/18/08
to cherrypy-users
Fixed in http://www.cherrypy.org/changeset/1932.


Robert Brewer
fuma...@aminus.org
Reply all
Reply to author
Forward
0 new messages