I recommend all Allura deployments upgrade EasyWidgets to version 0.2dev-20120918 immediately. If you cannot do that, apply this patch to your current easywidgets version: https://bitbucket.org/rick446/easywidgets/changeset/9b761c63620e5cbabc89e7ab34c599bd536f3c75 That will close a vector of attack in which arbitrary filesystem paths can be specified in the URL and exposed to the requester. Example in the commit link above.
-- Dave Brondsema : [email protected] http://www.brondsema.net : personal http://www.splike.com : programming <><
