Paste security problem in static file handling
6 views
Skip to first unread message
Ian Bicking
Dec 18, 2006, 12:10:00 AM12/18/06
to wsgi-securi...@googlegroups.com
Paste 1.1 and 1.0.1 fix a security problem with static file serving and
Paste's HTTP server. Paste's HTTP server did not URL unquote the
request path, and then the static file server did not check the unquoted
value against the proper root location before testing it. Using this
you could escape the root.
Paste's HTTP server. Paste's HTTP server did not URL unquote the
request path, and then the static file server did not check the unquoted
value against the proper root location before testing it. Using this
you could escape the root.
This only effects Paste's static file handling, combined with the Paste
HTTP server, and without Apache proxying (Apache normalizes request
paths before passing them on).
--
Ian Bicking | ia...@colorstudy.com | http://blog.ianbicking.org
Reply all
Reply to author
Forward
0 new messages